Struts patches up hole in 2.3.1.2 release

Apache Struts team fix critical flaw in latest release

Chris Mayer

Remote command execution vulnerability now cleared up in newest version. But is this one time too many?

Developers behind open source web framework Apache Struts, which
has become a popular choice for creating Java web-based
applications, have released an update to secure a critical hole in
the software.

Apache
Struts 2.3.1.2
solves a vulnerability that made it possible to
bypass the protection around OGNL (Object Graph
Navigation Language) expressions and evaluate arbitrary
expressions to execute malicious Java code
remotely.

Details within an advisory reveal how
this was possible, by
invoking java.lang.Runtime.getRuntime().exec() to run an
arbitary command. The fix covers Struts versions 2.0.0 to
2.3.1.1

This isn’t the first time that Struts has been at the mercy of
previous OGNL problems reported back in 2008
and 2010 that
allowed for malicious Java code manipulation and deployment.

Bloggers
 were quick to pick up on the issues. Previous
form suggests that this problem will keep cropping up in future
versions, if it is so easy to get around. 

Developers using the framework have been strongly advised to
update to 2.3.1.2 to combat this problem as soon as possible. Those
using Maven have been provided the details they need to configure
the update within the release
notes
.


Author
Comments
comments powered by Disqus