Apache Struts Fixes Critical Holes

Thursday, July 18, 2013 @ 05:07 PM gHale


Apache Software Foundation released a security update for its popular Java Web application development framework that addresses two vulnerabilities, including a critical one that could allow remote attackers to execute arbitrary code on the server.

The new Struts version 2.3.15.1 has become the “General Availability” release, the designation for the project’s highest quality version available to users.

RELATED STORIES
Apache Struts: Another Week, Another Fix
Apache Struts Security Patch Again
Apache Server Log File Hole
Malware Backdoor in Targeted Attacks

The new release addresses two vulnerabilities that stem from issues in the implementation of the DefaultActionMapper class and its “action:”, “redirect:” and “redirectAction:” prefixes.

“In Struts 2 before 2.3.15.1 the information following ‘action:’, ‘redirect:’ or ‘redirectAction:’ is not properly sanitized,” the Apache Struts developers said in an advisory. “Since said information will be evaluated as OGNL [Object Graph Navigation Language] expression against the value stack, this introduces the possibility to inject server side code.”

Attackers can also manipulate the information following “redirect:” or “redirectAction:” in order to redirect users to an arbitrary location.

In order to fix these two vulnerabilities, Apache Struts developers added code that sanitizes the “action:”-prefixed information and have removed support for the “redirect:” and “redirectAction:” prefixes.

Applications that use the retired prefixes will no longer work properly after upgrading to Struts 2.3.15.1 or later versions. The Struts developers recommend replacing them in the code with fixed navigation rules.

The new Struts version also fixes a server path information leakage issue and adds improved input sanitizing for the file upload example.

“After a fileupload action, if the result jsp contains a tag the value attribute is filled in with the server path where the file was saved,” the developers said. “This discloses file system information about the server.”



Leave a Reply

You must be logged in to post a comment.