struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From em...@cse.concordia.ca
Subject Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)
Date Fri, 25 Apr 2014 13:52:42 GMT
Hello List,

Need your confirmation for [1] mitigation. For example, package: p1,  
p2... pN, for each package, I should do the following, right?

Do I miss anything or is there a way that can patch one place and  
cover all packages instead of doing p1... PN?


(a) struts1.xml
<package name="p1" namespace="/n1" extends="tiles-default">
       <result-types>
          <result-type name="tiles"  
class="org.apache.struts2.views.tiles.TilesResult" />
       </result-types>

       <interceptors>
         <interceptor-stack name="secureDefaultStack">
             <interceptor-ref name="defaultStack">
                 <param  
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
             </interceptor-ref>
         </interceptor-stack>
       </interceptors>

       <default-interceptor-ref name="secureDefaultStack" />
       <action name= ....>
......
</package>
......
......

(N) strutsN.xml
<package name="pN" namespace="/nN" extends="tiles-default">
       <result-types>
          <result-type name="tiles"  
class="org.apache.struts2.views.tiles.TilesResult" />
       </result-types>

       <interceptors>
         <interceptor-stack name="secureDefaultStack">
             <interceptor-ref name="defaultStack">
                 <param  
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
             </interceptor-ref>
         </interceptor-stack>
       </interceptors>

       <default-interceptor-ref name="secureDefaultStack" />
       <action name= ....>
......
</package>



On 04/24/2014 02:39 PM, Rene Gielen wrote:
> Yes.
>
> Am 24.04.14 19:37, schrieb emilu@cse.concordia.ca:
>> Hello List,
>>
>> I am using tiles-default:
>> <struts>
>>    <package name="Example" namespace="/Action/Example"
>> extends="tiles-default">
>>       <result-types>
>>          <result-type name="tiles"
>> class="org.apache.struts2.views.tiles.TilesResult" />
>>       </result-types>
>>
>>       <action name="*ProcessExampleAction"  method="{1}"
>> class="ExampleAction">
>>          <result name="success"   type="tiles">success_gui</result>
>>          <result name="ajax_check">
>>                 /WEB-INF/pages/errorinfo/ajax_error_check.jsp
>>           </result>
>>       </action>
>> Do I need this update below as well?  Thank you!
>>
>> On 04/24/2014 11:32 AM, Rene Gielen wrote:
>>> In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
>>> parameters was supposed to be resolved. Unfortunately, the correction
>>> wasn't sufficient.
>>>
>>> A security fix release fully addressing this issue is in preparation and
>>> will be released as soon as possible.
>>>
>>> Once the release is available, all Struts 2 users are strongly
>>> recommended to update their installations.
>>>
>>> * Until the release is available, all Struts 2 users are strongly
>>> recommended to apply the mitigation described [1] *
>>>
>>> Please follow the Apache Struts announcement channels [2][3][4][5] to
>>> stay updated regarding the upcoming security release. Most likely the
>>> release will be available within the next 72 hours. Please prepare for
>>> upgrading all Struts 2 based production systems to the new release
>>> version once available.
>>>
>>> - The Apache Struts Team.
>>>
>>> [1] http://struts.apache.org/announce.html#a20140424
>>> [2] http://struts.apache.org/mail.html
>>> [3] http://struts.apache.org/announce.html
>>> [4] https://plus.google.com/+ApacheStruts/posts
>>> [5] https://twitter.com/TheApacheStruts



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message