Apache has Update for Struts Hole

Tuesday, November 6, 2018 @ 01:11 PM gHale

Apache Software Foundation wants users to update the Commons FileUpload library as soon as possible for those running Apache Struts 2.3.x to close a serious vulnerability.

That vulnerability could end up used to leverage a remote code execution attack.

RELATED STORIES
Oracle Feels Effects of Apache Struts Flaw
Cisco Clears Critical Vulnerabilities
Exploit Code Releases for Apache Struts Hole
Adobe Patches Acrobat, Reader, Experience Manager

Apache Struts 2 is an open source web application framework for developing Java EE web applications. The Commons FileUpload library adds file upload capabilities to servlets and web applications.

The vulnerability, which has a case number of CVE-2016-1000031, is present in Commons FileUpload versions before 1.3.3, and arose due to the inclusion of a Java Object that can be manipulated to write or copy files to disk in arbitrary locations.

The vulnerability is present in Apache Struts 2.3.x because it uses the vulnerable version of the library (v1.3.2).

Those who run Struts 2.5.x are not affected because it includes the patched version of the library.



Leave a Reply

You must be logged in to post a comment.