Apache Struts 2 Closes Serious Hole

Tuesday, January 24, 2012 @ 02:01 PM gHale


The developers of the Apache Struts 2 Java web framework released version 2.3.1.2, which closes a critical hole in versions of Struts from 2.0.0 to 2.3.1.1 that allowed remote command execution.

The vulnerability allows an attacker to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation.

RELATED STORIES
Apache Struts Updates Holes
Security Tip: Scrap Java
Java Holes Bring Quick Exploits
Black Hole Kit Exploiting Java

An example given in the advisory shows how an attacker could invoke the java.lang.Runtime.getRuntime().exec() method to run an arbitrary command if a vulnerable action existed. This is not the first time OGNL, an expression language used for getting and setting properties of Java objects, has been problematic; in 2008 and 2010, similar problems allowed for unauthorized manipulation and execution of Java classes.

Developers should update to Struts 2.3.1.2 which is available to download. Users will find details on how to update in the release notes. For installations that are unable to update, the advisory offers a configuration change which can mitigate the problem.

Earlier this month, Apache Struts developers released version 2.3.1.1 of their open source framework for Java-based web applications.

That update closed critical holes in Struts 2, fixing four old and well known security vulnerabilities an attacker could exploit to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code.



Leave a Reply

You must be logged in to post a comment.