After False Start, Apache Struts Fixed

Tuesday, April 29, 2014 @ 04:04 PM gHale


The Apache Software Foundation released version 2.3.16.2 of Apache Struts, the open-source framework for creating Java web applications, to address a Zero Day vulnerability. This is the second patch to fix the issue, the first one, issued in March, was just not a good patch.

It all started in March when the Apache Struts group released Struts 2.3.16.1, which supposedly fixed security issues: ClassLoader manipulation via request parameters, and an update to the Commons FileUpload library to prevent denial-of-service (DoS) attacks.

RELATED STORIES
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records
DDoS Attacks: Smarter, Faster, Severe
Stronger Voice Needed with Security Policies

As it turns out, the fix for the ClassLoader manipulation was not very good and as a result, Struts 2.3.16.2 released.

Struts 2.3.16.2 comes with improved excluded parameters to avoid ClassLoader manipulation via ParametersInterceptor. Excluded parameters have also been added to CookieInterceptor to “avoid ClassLoader manipulation when the interceptors is configured to accept all cookie names (wildcard matching via ‘*).”

All Struts 2 users should update their installations as soon as possible, officials said. Before version 2.3.16.2 released, the Struts group published a method that could mitigate the attack. However, Struts officials recommend users install the latest variant rather than use the mitigation.

Additional details on the latest security update are available on the Struts website.



Leave a Reply

You must be logged in to post a comment.