From announce-return-4884-archive-asf-public=cust-asf.ponee.io@apache.org Mon Nov 5 16:41:10 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 3E290180670 for ; Mon, 5 Nov 2018 16:41:10 +0100 (CET) Received: (qmail 36489 invoked by uid 500); 5 Nov 2018 15:41:07 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 35279 invoked by uid 99); 5 Nov 2018 07:23:35 -0000 X-Gm-Message-State: AGRZ1gIwUTwc585Kfvo2wUPfzMZ+zi0VUB9q3/pnrwBUQ4NBKnF/2hUz 1QqYnjm2UJw4UFgaoZH8O5B4I5icMT7l4QhUDek= X-Google-Smtp-Source: AJdET5fOE0z1vYKSivOnBbjVjhdEksBgpiC28W1MyYTGwAV1zyOejMqCjT8fyHdWjqBVEk3OR6oH6X6o+G2t2Nq7haQ= X-Received: by 2002:a19:750a:: with SMTP id y10mr11599557lfe.43.1541402612732; Sun, 04 Nov 2018 23:23:32 -0800 (PST) MIME-Version: 1.0 From: Lukasz Lenart Date: Mon, 5 Nov 2018 08:23:21 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior To: announce@apache.org, announcements@struts.apache.org, Struts Users Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.3. This is necessary to prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks (see [1] [2]). This affects Struts 2.3.36 and prior. Struts versions from 2.5.12 are already using the latest commons-fileupload version [3]. Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For Maven based Struts 2 projects, the following dependency needs to be added: commons-fileupload commons-fileupload 1.3.3 More details can be found here: [1] https://issues.apache.org/jira/browse/FILEUPLOAD-279 [2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 [3] https://issues.apache.org/jira/browse/WW-4812 All developers are strongly advised to perform this action. on behalf of the Apache Struts Team Kind regards --=20 =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/