struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rgie...@apache.org
Subject svn commit: r1589746 - /struts/site/trunk/source/announce.md
Date Thu, 24 Apr 2014 14:34:10 GMT
Author: rgielen
Date: Thu Apr 24 14:34:10 2014
New Revision: 1589746

URL: http://svn.apache.org/r1589746
Log:
0day exploit mitigation announcment

Modified:
    struts/site/trunk/source/announce.md

Modified: struts/site/trunk/source/announce.md
URL: http://svn.apache.org/viewvc/struts/site/trunk/source/announce.md?rev=1589746&r1=1589745&r2=1589746&view=diff
==============================================================================
--- struts/site/trunk/source/announce.md (original)
+++ struts/site/trunk/source/announce.md Thu Apr 24 14:34:10 2014
@@ -2,13 +2,57 @@
 layout: default
 title: Announcements
 ---
-
 # Announcements
 
 <p class="pull-right">
   Skip to: <a href="announce-2013.html">Announcements - 2013</a>
 </p>
 
+#### <span id="a20140424"> 2 March 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation
+
+In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed
to be resolved. Unfortunately, 
+the correction wasn't sufficient.
+
+A security fix release fully addressing this issue is in preparation and will be released
as soon as possible.
+
+Once the release is available, all Struts 2 users are strongly recommended to update their
installations.
+
+**Until the release is available, all Struts 2 users are strongly recommended to apply the
following mitigation:**
+
+In your struts.xml, replace all custom references to params-interceptor with the following
code, especially regarding the class-pattern
+found at the beginning of the excludeParams list:
+
+    <interceptor-ref name="params">
+       <param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+    </interceptor-ref>
+
+If you are using default interceptor stacks packaged in struts-default.xml, change your parent
packages to a customized secured configuration
+as in the following example. Given you are using defaultStack so far, change your packages
from
+
+    <package name="default" namespace="/" extends="struts-default">
+        <default-interceptor-ref name="defaultStack" />
+        ...
+        ...
+    </package>
+
+to
+
+    <package name="default" namespace="/" extends="struts-default">
+        <interceptors>
+            <interceptor-stack name="secureDefaultStack">
+                <interceptor-ref name="defaultStack">
+                    <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+                </interceptor-ref>
+            </interceptor-stack>
+        </interceptors>
+
+        <default-interceptor-ref name="secureDefaultStack" />
+        ...
+    </package> 
+
+Please follow the Apache Struts Announcements to stay updated regarding the upcoming security
release. Most likely the release will be available within the next 72 hours.
+Please prepare for upgrading all Struts 2 based production systems to the new release version
once available.
+
 #### <span id="a20140302"> 2 March 2014 - Struts 2.3.16.1 General Availability Release
- Security Fix Release
 
 The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General
Availability"
@@ -65,4 +109,4 @@ All developers are strongly advised to p
 <p class="pull-left">
   <strong>Next:</strong>
   <a href="kickstart.html">Kickstart FAQ</a>
-</p>
+</p>
\ No newline at end of file



Mime
View raw message