The team behind Apache Struts has strongly requested users to install the necessary updates to mitigate the risks generated by an old bug
Apache Software Foundation has recently released a security alert where it reiterates its recommendation to Apache Struts users to ensure that their installations run a newer version of the Commons FileUpload library than 1.3.2, Because this way their projects will not be vulnerable to possible remote code execution attacks, they report specialists in digital forensics.
According to reports of information security and digital forensics specialists from the International Institute of Cyber Security, versions of Struts library prior to 1.3.3 have a security issue with a Java Object, which could be exploited to write or copy files in arbitrary locations on the disk.
“While the Java Object can be used alone, this new attack vector can be integrated with ysoserial to load and run binaries on a single deserialization call”, mentions the original security warning for the vulnerability in question.
Unless there is a different mechanism to add file loading capability to web applications created with Struts, the default framework is the Commons FileUpload component.
Apache Software Foundation launched the first security alert on this issue last March. Since then, two new versions of Struts 2.3.x are available. The most recent is Struts 2.3.36, released as an edition of ‘General Availability’ in October 15th. Like other versions, 2.3.36 includes a vulnerable version of the library. This was possible because Common FileUpload was updated to 1.3.3 only in Apache Struts 2.5.12, while branch 2.3.x vulnerabilities remained present.
How to fix this problem
The vulnerability referenced in the alert was discovered two years ago and received the identification key CVE-2016-1000031. A similar alert was recently issued, urging users to update the library to protect against this bug that could cause a denial of service (DDoS) condition.
To eliminate the risk, users have to replace the defective Commons FileUpload variant manually, as reported by experts in digital forensics. This is achieved in applications already implemented by replacing the previous version in ‘WEB-INF/lib’ with the latest JAR file ‘commons-FileUpload’ currently available for download.
The Maven-based Struts 2 projects, the following dependencies must be added:
Johannes Ullrich, a cybersecurity specialist, invites admins to review all their systems in search of the vulnerable library and remove it. “Struts is not the only tool using this library, and other developers might also have forgotten to launch the corresponding updates”, Ullrich says.
Versions of Apache struts of 2.5.12 and above are not affected because they already have the latest version of Commons FileUpload.