struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Struts zero-day vulnerability
Date Sat, 17 May 2014 07:00:34 GMT
We (Apache Struts) do not share the exact PoCs anymore to reduce risk
of informing attackers how to use given vulnerability, you can find
some examples over the internet - that's all I can suggest.

2014-05-16 23:57 GMT+02:00 Deepak Subbanarasimha <d.subbanarasimha@kewill.com>:
> Lukasz,
>
> Thank you for responding. This is very helpful.
>
> Do you have information on what kind of attacks this vulnerability would expose systems
to? Ex. Cross-Site scripting. Is there anything else?
>
> Do you have any suggestions on how to test this fix?
>
> Thanks,
> Deepak
>
> -----Original Message-----
> From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
> Sent: Monday, May 05, 2014 8:00 AM
> To: Struts Users Mailing List
> Subject: Re: Struts zero-day vulnerability
>
> Here you have more details [1] and just to point it out - Struts 1 reached EOL [2] and
no further development is expected! Consider migration to Struts2 or any other modern framework.
>
> [1] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2d8va2wlzt
> [2] http://struts.apache.org/struts1eol-announcement.html
>
> 2014-05-05 13:53 GMT+02:00 Deepak Subbanarasimha <d.subbanarasimha@kewill.com>:
>> Hello,
>>
>> We use struts version 1.2.2 and commons-file upload version 1.1.1.  It is not clear
from this notification if these versions are impacted.
>>
>>
>> 1.       Can anyone confirm if these versions or affected?
>>
>> 2.       If they are affected, what can be done? Should we upgrade to Struts 2.x?
>>
>> The notification below only talks about struts 2.x version.
>>
>> -Deepak
>>
>>
>>
>> PURPOSE
>>
>> -------------
>>
>> The purpose of this Alert is to bring attention to a recently announced security
vulnerability for Apache Struts.
>>
>>
>>
>> ASSESSMENT
>>
>> ------------------
>>
>> Apache Struts up to 2.3.16.1 is being reported as having a zero-day vulnerability.
In particular, Struts 2.3.16.1 has an issue with ClassLoader manipulation via request parameters
which was supposed to be resolved on 2 March 2014 through a security fix. Unfortunately, it
was confirmed that the correction wasn't sufficient.
>>
>>
>>
>> According to the Apache Struts Team, a security fix release fully addressing all
these issues is in preparation and will be released as soon as possible. Once the release
is available, all Struts 2 users are strongly encouraged to update their installations.
>>
>>
>>
>> SUGGESTED ACTION
>>
>> ----------------------------
>>
>> The Apache Struts Team has published the following mitigation information:
>>
>>
>>
>> In the struts.xml, replace all custom references to params-interceptor with the following
code, especially regarding the class-pattern found at the beginning of the excludeParams list:
>>
>>
>>
>> <interceptor-ref name="params">
>>
>>    <param
>>
>> name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^doj
>> o\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(
>> Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
>>
>> </interceptor-ref>
>>
>>
>>
>> If you are using default interceptor stacks packaged in
>> struts-default.xml, change your parent packages to a customized
>> secured configuration as in the following example. Given you are using
>> defaultStack so far, change your packages from
>>
>>
>>
>> <package name="default" namespace="/" extends="struts-default">
>>
>>     <default-interceptor-ref name="defaultStack" />
>>
>>     ...
>>
>>     ...
>>
>> </package>
>>
>> to
>>
>>
>>
>> <package name="default" namespace="/" extends="struts-default">
>>
>>     <interceptors>
>>
>>         <interceptor-stack name="secureDefaultStack">
>>
>>             <interceptor-ref name="defaultStack">
>>
>>                 <param
>>
>> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[)
>> .*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^s
>> ervlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</pa
>> ram>
>>
>>             </interceptor-ref>
>>
>>         </interceptor-stack>
>>
>>     </interceptors>
>>
>>
>>
>>     <default-interceptor-ref name="secureDefaultStack" />
>>
>>     ...
>>
>> </package>
>>
>>
>>
>> References:
>>
>> =================
>>
>> http://struts.apache.org/announce.html#a20140302
>>
>> IMPORTANT NOTICE: This email is intended solely for the use of the individual to
whom it is addressed and may contain information that is privileged, confidential or otherwise
exempt from disclosure under applicable law. If the reader of this email is not the intended
recipient or the employee or agent responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication in error, please
immediately return the original message to the sender at the listed email address. In accordance
with Kewill policy, emails sent and received may be monitored. Although Kewill takes reasonable
precautions to minimize the risk, Kewill accepts no responsibility for any loss or damage
should this email contain any virus, or similar destructive or mischievous code.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message