struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r986683 - /websites/production/struts/content/docs/s2-032.html
Date Tue, 26 Apr 2016 09:20:23 GMT
Author: lukaszlenart
Date: Tue Apr 26 09:20:23 2016
New Revision: 986683

Log:
Updates production

Modified:
    websites/production/struts/content/docs/s2-032.html

Modified: websites/production/struts/content/docs/s2-032.html
==============================================================================
--- websites/production/struts/content/docs/s2-032.html (original)
+++ websites/production/struts/content/docs/s2-032.html Tue Apr 26 09:20:23 2016
@@ -125,7 +125,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-032-Summary">Summary</h2>Remote
Code Execution can be performed via <code>method:</code> prefix when Dynamic Method
Invocation is enabled.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Disable Dynamic Method Invocation
if possible. Alternatively upgrade to&#160;<a shape="re
 ct" href="version-notes-2328.html">Struts 2.3.20.2</a><span>, <a shape="rect"
href="version-notes-2328.html">Struts 2.3.24.2</a><span>&#160;</span><span>or
</span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span>Nike Zheng </span>nike
dot zheng at dbappsecurity dot com dot cn</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3081</p></td></tr></tbody></table></div><h2
id="S2-032-Problem">Problem</h2><p>It is possible to pass a malicious expression
which can be us
 ed to execute arbitrary code on server side when Dynamic Method Invocation is enabled.</p><h2
id="S2-032-Solution">Solution</h2><p>Disable Dynamic Method Invocation when
possible or upgrade to Apache Struts versions 2.3.20.2, 2.3.24.2 or 2.3.28.1.</p><h2
id="S2-032-Backwardcompatibility">Backward compatibility</h2><p>No issues expected
when upgrading to Struts 2.3.20.2, 2.3.24.2 and 2.3.28.1</p><h2 id="S2-032-Workaround">Workaround</h2><p>Disable
Dynamic Method Invocation or implement your own version of <code>ActionMapper</code>
based on a source code of the recommended Apache Struts versions.</p></div>
+            <div id="ConfluenceContent"><h2 id="S2-032-Summary">Summary</h2>Remote
Code Execution can be performed via <code>method:</code> prefix when Dynamic Method
Invocation is enabled.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Disable Dynamic Method Invocation
if possible. Alternatively upgrade to&#160;<a shape="re
 ct" href="version-notes-2328.html">Struts 2.3.20.2</a><span>, <a shape="rect"
href="version-notes-2328.html">Struts 2.3.24.2</a><span>&#160;</span><span>or
</span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2)</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span>Nike Zheng </span>nike
dot zheng at dbappsecurity dot com dot cn</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3081</p></td></tr></tbody></table></div><h2
id="S2-032-Problem">Problem</h2><p>It is possible to pass a malicious expression
which can be u
 sed to execute arbitrary code on server side when Dynamic Method Invocation is enabled.</p><h2
id="S2-032-Solution">Solution</h2><p>Disable Dynamic Method Invocation when
possible or upgrade to Apache Struts versions 2.3.20.2, 2.3.24.2 or 2.3.28.1.</p><h2
id="S2-032-Backwardcompatibility">Backward compatibility</h2><p>No issues expected
when upgrading to Struts 2.3.20.2, 2.3.24.2 and 2.3.28.1</p><h2 id="S2-032-Workaround">Workaround</h2><p>Disable
Dynamic Method Invocation or implement your own version of <code>ActionMapper</code>
based on a source code of the recommended Apache Struts versions.</p></div>
         </div>
 
         



Mime
View raw message