- ARC: How to Prevent USB Attacks
- Rockwell Working on PowerMonitor 1000 Fix
- Horner Clears Cscape Vulnerability
- Delta Fixes it Industrial Automation CNCSoft
- Intel Has Fix for Data Center Manager SDK Holes
- Thermal Fatigue Led to MS Gas Plant Blast …
- … 3D Model of Failed Heat Exchanger
- Fukushima Report: Robot Lifts Melted Fuel
Chemical Safety Incidents
Apache Struts Security Patch Again
Friday, May 31, 2013 @ 03:05 PM gHale
Version 2.3.14.2 update of the Apache Struts Java framework fixes several high-risk vulnerabilities that allow attackers to inject code into the server via specially crafted HTTP requests.
The holes have been identified as CVE-2013-2115 and CVE-2013-1966, said the Struts developers, the maximum threat level is “highly critical.”
RELATED STORIES
Apache Server Log File Hole
Malware Backdoor in Targeted Attacks
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Vulnerability details and a Proof of Concept (PoC) can be found on the Coverity blog.
Originally, updating to Struts 2.3.14.1 would close the holes, but the update failed to block all potential attack vectors.
All versions prior to 2.3.14.2 are vulnerable. Those who use the framework on their servers should, therefore, ensure it is up to date as soon as possible.
This is yet another Object-Graph Navigation Language (OGNL)-related problem for the Struts framework. Holes in the implementation of the expression language have previously ended up uncovered and closed in January 2012, August 2010 and in November 2008.
Leave a Reply
You must be logged in to post a comment.