Apache Struts: Another Week, Another Fix

Wednesday, June 5, 2013 @ 03:06 PM gHale

For Apache Struts the fix was in one short week ago. Developers released an important security fix that would take care of security issues. Well, one week later another important fix for a highly critical security flaw in the web framework is now ready to go.

This week’s vulnerability is a combination of two problems. The framework allows action mapping based on wildcards and when a request doesn’t match an action, it tries to load a JSP file based on the name of the action. That name can end up as an OGNL expression which in turn, allows an attacker to execute Java code on the server side.

Apache Struts Security Patch Again
Apache Server Log File Hole
Malware Backdoor in Targeted Attacks
Multistage Attack Proves Fruitful

Details of the problem together with examples are available in the S2-015 security advisory.

Users of the framework should upgrade to version which is already available to download.

The update checks that action names match a regular expression of [a-z]*[A-Z]*[0-9]*[.\-_!/]* (though admins can change the regexp of allowed names through a constant in struts.xml) and the developers have removed the double evaluation from the OgnlTextParser.

This bug, like the previous one, ended up discovered by Coverity which published a detailed blog posting on the problem.

Leave a Reply

You must be logged in to post a comment.