Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 382C6114A6 for ; Mon, 5 May 2014 11:54:31 +0000 (UTC) Received: (qmail 97538 invoked by uid 500); 5 May 2014 11:54:29 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 97262 invoked by uid 500); 5 May 2014 11:54:28 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 97244 invoked by uid 99); 5 May 2014 11:54:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 May 2014 11:54:27 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of d.subbanarasimha@kewill.com designates 213.199.154.13 as permitted sender) Received: from [213.199.154.13] (HELO emea01-am1-obe.outbound.protection.outlook.com) (213.199.154.13) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 May 2014 11:54:21 +0000 Received: from DB3PR04MB170.eurprd04.prod.outlook.com (10.242.129.147) by DB3PR04MB188.eurprd04.prod.outlook.com (10.242.129.155) with Microsoft SMTP Server (TLS) id 15.0.939.12; Mon, 5 May 2014 11:53:56 +0000 Received: from DB3PR04MB172.eurprd04.prod.outlook.com (10.242.129.150) by DB3PR04MB170.eurprd04.prod.outlook.com (10.242.129.147) with Microsoft SMTP Server (TLS) id 15.0.934.12; Mon, 5 May 2014 11:53:56 +0000 Received: from DB3PR04MB172.eurprd04.prod.outlook.com ([169.254.15.12]) by DB3PR04MB172.eurprd04.prod.outlook.com ([169.254.15.12]) with mapi id 15.00.0939.000; Mon, 5 May 2014 11:53:56 +0000 From: Deepak Subbanarasimha To: "user@struts.apache.org" Subject: Struts zero-day vulnerability Thread-Topic: Struts zero-day vulnerability Thread-Index: Ac9j2xz1ria+Iwn/SmKbYYFsam8YLAAAcvRgAADJ9/AABxAcEACBjaMQAAc6P6AAjklKsA== Date: Mon, 5 May 2014 11:53:55 +0000 Message-ID: <28d83d343a37450cb76fbea612eeb495@DB3PR04MB172.eurprd04.prod.outlook.com> References: <7DF757161F85734FBF5CEE6BCEC1614F9864ED645B@CPGEXMBCCR03.cpggpc.ad> <081ab247b18f4989ae40ae9ba9502285@DB3PR04MB172.eurprd04.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [216.49.147.25] x-forefront-prvs: 0202D21D2F x-forefront-antispam-report: SFV:NSPM;SFS:(10009001)(428001)(189002)(199002)(64706001)(81542001)(74662001)(31966008)(74502001)(15202345003)(46102001)(16236675002)(81342001)(19300405004)(33646001)(83072002)(87936001)(2656002)(101416001)(92566001)(86362001)(21056001)(19580395003)(83322001)(80976001)(74316001)(15975445006)(4396001)(80022001)(54356999)(66066001)(20776003)(99396002)(76482001)(76576001)(79102001)(76176999)(77982001)(50986999)(24736002)(547064002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB3PR04MB170;H:DB3PR04MB172.eurprd04.prod.outlook.com;FPR:;MLV:sfv;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (: kewill.com does not designate permitted sender hosts) authentication-results: spf=none (sender IP is ) smtp.mailfrom=d.subbanarasimha@kewill.com; Content-Type: multipart/alternative; boundary="_000_28d83d343a37450cb76fbea612eeb495DB3PR04MB172eurprd04pro_" MIME-Version: 1.0 X-OriginatorOrg: kewill.com X-Virus-Checked: Checked by ClamAV on apache.org --_000_28d83d343a37450cb76fbea612eeb495DB3PR04MB172eurprd04pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, We use struts version 1.2.2 and commons-file upload version 1.1.1. It is n= ot clear from this notification if these versions are impacted. 1. Can anyone confirm if these versions or affected? 2. If they are affected, what can be done? Should we upgrade to Strut= s 2.x? The notification below only talks about struts 2.x version. -Deepak PURPOSE ------------- The purpose of this Alert is to bring attention to a recently announced sec= urity vulnerability for Apache Struts. ASSESSMENT ------------------ Apache Struts up to 2.3.16.1 is being reported as having a zero-day vulnera= bility. In particular, Struts 2.3.16.1 has an issue with ClassLoader manipu= lation via request parameters which was supposed to be resolved on 2 March = 2014 through a security fix. Unfortunately, it was confirmed that the corre= ction wasn't sufficient. According to the Apache Struts Team, a security fix release fully addressin= g all these issues is in preparation and will be released as soon as possib= le. Once the release is available, all Struts 2 users are strongly encourag= ed to update their installations. SUGGESTED ACTION ---------------------------- The Apache Struts Team has published the following mitigation information: In the struts.xml, replace all custom references to params-interceptor with= the following code, especially regarding the class-pattern found at the be= ginning of the excludeParams list: (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\.= .*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|= Response)\..*,^parameters\..*,^action:.*,^method:.* If you are using default interceptor stacks packaged in struts-default.xml,= change your parent packages to a customized secured configuration as in th= e following example. Given you are using defaultStack so far, change your p= ackages from ... ... to (.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,= ^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(R= equest|Response)\..*,^parameters\..*,^action:.*,^method:.* ... References: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://struts.apache.org/announce.html#a20140302 IMPORTANT NOTICE: This email is intended solely for the use of the individu= al to whom it is addressed and may contain information that is privileged, = confidential or otherwise exempt from disclosure under applicable law. If t= he reader of this email is not the intended recipient or the employee or ag= ent responsible for delivering the message to the intended recipient, you a= re hereby notified that any dissemination, distribution, or copying of this= communication is strictly prohibited. If you have received this communicat= ion in error, please immediately return the original message to the sender = at the listed email address. In accordance with Kewill policy, emails sent = and received may be monitored. Although Kewill takes reasonable precautions= to minimize the risk, Kewill accepts no responsibility for any loss or dam= age should this email contain any virus, or similar destructive or mischiev= ous code. --_000_28d83d343a37450cb76fbea612eeb495DB3PR04MB172eurprd04pro_--