Apache Struts Security Patch Again

Version 2.3.14.2 update of the Apache Struts Java framework fixes several high-risk vulnerabilities that allow attackers to inject code into the server via specially crafted HTTP requests.

The holes have been identified as CVE-2013-2115 and CVE-2013-1966, said the Struts developers, the maximum threat level is “highly critical.”

RELATED STORIES
Apache Server Log File Hole
Malware Backdoor in Targeted Attacks
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole

Vulnerability details and a Proof of Concept (PoC) can be found on the Coverity blog.

Originally, updating to Struts 2.3.14.1 would close the holes, but the update failed to block all potential attack vectors.

All versions prior to 2.3.14.2 are vulnerable. Those who use the framework on their servers should, therefore, ensure it is up to date as soon as possible.

This is yet another Object-Graph Navigation Language (OGNL)-related problem for the Struts framework. Holes in the implementation of the expression language have previously ended up uncovered and closed in January 2012, August 2010 and in November 2008.