Apache Struts Fixes Two Bugs

Wednesday, September 25, 2013 @ 01:09 PM gHale


There is an update to the Apache Struts framework that fixes two vulnerabilities.

To mark the seriousness of the update, the Apache Struts developers said users should upgrade to Struts 2.3.15.2 pronto.

RELATED STORIES
Automated Hacking Tools
Apache Struts Fixes Critical Holes
Apache Struts: Another Week, Another Fix
Apache Struts Security Patch Again

One of the fixes for the open-source web application framework addresses a problem in the Dynamic Method Invocation (DMI) feature previously thought to break users’ applications if relied on too heavily. Developers previously enabled the application by default and flashed a warning that users should switch it off if possible. Now the feature is the opposite as the developers disabled it by default – or if users want to employ a workaround, they can switch struts.enable.DynamicMethodInvocation to false in struts.xml.

The second fix is for a broken access control vulnerability with Struts 2’s action mapping mechanism. A parameter in the mechanism was there to support the prefix “action:” to make sure navigational information can attach to buttons in forms. Under certain scenarios attackers could use this feature to bypass security constraints. The update fixes the mechanism and restricts security constraints. Like the DMI issue, there’s a workaround, writing your own ActionMapper and, dropping support for “action:”.

Part of the Apache Software Foundation, developers use Struts to build Java- based web applications.



Leave a Reply

You must be logged in to post a comment.