struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Struts zero-day vulnerability
Date Mon, 05 May 2014 11:59:59 GMT
Here you have more details [1] and just to point it out - Struts 1
reached EOL [2] and no further development is expected! Consider
migration to Struts2 or any other modern framework.

[1] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2d8va2wlzt
[2] http://struts.apache.org/struts1eol-announcement.html

2014-05-05 13:53 GMT+02:00 Deepak Subbanarasimha <d.subbanarasimha@kewill.com>:
> Hello,
>
> We use struts version 1.2.2 and commons-file upload version 1.1.1.  It is not clear from
this notification if these versions are impacted.
>
>
> 1.       Can anyone confirm if these versions or affected?
>
> 2.       If they are affected, what can be done? Should we upgrade to Struts 2.x?
>
> The notification below only talks about struts 2.x version.
>
> -Deepak
>
>
>
> PURPOSE
>
> -------------
>
> The purpose of this Alert is to bring attention to a recently announced security vulnerability
for Apache Struts.
>
>
>
> ASSESSMENT
>
> ------------------
>
> Apache Struts up to 2.3.16.1 is being reported as having a zero-day vulnerability. In
particular, Struts 2.3.16.1 has an issue with ClassLoader manipulation via request parameters
which was supposed to be resolved on 2 March 2014 through a security fix. Unfortunately, it
was confirmed that the correction wasn't sufficient.
>
>
>
> According to the Apache Struts Team, a security fix release fully addressing all these
issues is in preparation and will be released as soon as possible. Once the release is available,
all Struts 2 users are strongly encouraged to update their installations.
>
>
>
> SUGGESTED ACTION
>
> ----------------------------
>
> The Apache Struts Team has published the following mitigation information:
>
>
>
> In the struts.xml, replace all custom references to params-interceptor with the following
code, especially regarding the class-pattern found at the beginning of the excludeParams list:
>
>
>
> <interceptor-ref name="params">
>
>    <param
>
> name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
>
> </interceptor-ref>
>
>
>
> If you are using default interceptor stacks packaged in struts-default.xml, change your
parent packages to a customized secured configuration as in the following example. Given you
are using defaultStack so far, change your packages from
>
>
>
> <package name="default" namespace="/" extends="struts-default">
>
>     <default-interceptor-ref name="defaultStack" />
>
>     ...
>
>     ...
>
> </package>
>
> to
>
>
>
> <package name="default" namespace="/" extends="struts-default">
>
>     <interceptors>
>
>         <interceptor-stack name="secureDefaultStack">
>
>             <interceptor-ref name="defaultStack">
>
>                 <param
>
> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
>
>             </interceptor-ref>
>
>         </interceptor-stack>
>
>     </interceptors>
>
>
>
>     <default-interceptor-ref name="secureDefaultStack" />
>
>     ...
>
> </package>
>
>
>
> References:
>
> =================
>
> http://struts.apache.org/announce.html#a20140302
>
> IMPORTANT NOTICE: This email is intended solely for the use of the individual to whom
it is addressed and may contain information that is privileged, confidential or otherwise
exempt from disclosure under applicable law. If the reader of this email is not the intended
recipient or the employee or agent responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication in error, please
immediately return the original message to the sender at the listed email address. In accordance
with Kewill policy, emails sent and received may be monitored. Although Kewill takes reasonable
precautions to minimize the risk, Kewill accepts no responsibility for any loss or damage
should this email contain any virus, or similar destructive or mischievous code.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message