www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
Date Mon, 05 Nov 2018 07:23:21 GMT
The Apache Struts Team recommends to immediately upgrade your Struts
2.3.36 based projects to use the latest released version of Commons
FileUpload library, which is currently 1.3.3. This is necessary to
prevent your publicly accessible web site from being exposed to
possible Remote Code Execution attacks (see [1] [2]).

This affects Struts 2.3.36 and prior. Struts versions from 2.5.12 are
already using the latest commons-fileupload version [3].

Your project is affected if it uses the built-in file upload mechanism
of Struts 2, which defaults to the use of commons-fileupload. The
updated commons-fileupload library is a drop-in replacement for the
vulnerable version. Deployed applications can be hardened by replacing
the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
Maven based Struts 2 projects, the following dependency needs to be
added:

<dependency>
  <groupId>commons-fileupload</groupId>
  <artifactId>commons-fileupload</artifactId>
  <version>1.3.3</version>
</dependency>

More details can be found here:

[1] https://issues.apache.org/jira/browse/FILEUPLOAD-279
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
[3] https://issues.apache.org/jira/browse/WW-4812

All developers are strongly advised to perform this action.

on behalf of the Apache Struts Team

Kind regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

Mime
View raw message