Apache Struts Updates Holes

Friday, January 6, 2012 @ 12:01 PM gHale


Apache Struts developers released version 2.3.1.1 of their open source framework for Java-based web applications.

The update closes critical holes in Struts 2, fixing four old and well known security vulnerabilities an attacker could exploit to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code.

RELATED STORIES
Security Tip: Scrap Java
Java Holes Bring Quick Exploits
Black Hole Kit Exploiting Java
Exploits Team on Java

Versions 2.1.0 to 2.3.1 of Struts suffer from the vulnerability; upgrading to 2.3.1.1 corrects the issues. Alternatively, the security advisory provides instructions for changing a configuration file which mitigates the problem.

For more information about the update, click on the version notes and look in the project’s security advisory.

Struts 2.3.1.1 is available to download from the project’s site.

Java has become the exploit of choice these days. Java remains the application of choice for criminals and security professionals remain concerned.

A Java exploit first published in October and used in drive-by attacks is now into the Black Hole exploit kit, aimed primarily at “users in Russia, the U.S., the UK and Germany,” said Vyacheslav Zakorzhevsky, a security expert with Kaspersky Lab.



Leave a Reply

You must be logged in to post a comment.