Apache Struts team fix critical flaw in latest release
Remote command execution vulnerability now cleared up in newest version. But is this one time too many?
Developers behind open source web framework Apache Struts, which has become a popular choice for creating Java web-based applications, have released an update to secure a critical hole in the software.
Apache Struts 126.96.36.199 solves a vulnerability that made it possible to bypass the protection around OGNL (Object Graph Navigation Language) expressions and evaluate arbitrary expressions to execute malicious Java code remotely.
Details within an advisory reveal how this was possible, by invoking java.lang.Runtime.getRuntime().exec() to run an arbitary command. The fix covers Struts versions 2.0.0 to 188.8.131.52
This isn’t the first time that Struts has been at the mercy of previous OGNL problems reported back in 2008 and 2010 that allowed for malicious Java code manipulation and deployment. Bloggers were quick to pick up on the issues. Previous form suggests that this problem will keep cropping up in future versions, if it is so easy to get around.
Developers using the framework have been strongly advised to update to 184.108.40.206 to combat this problem as soon as possible. Those using Maven have been provided the details they need to configure the update within the release notes.