Hello,
We use struts version 1.2.2 and commons-file upload version 1.1.1. It is not
clear from this notification if these versions are impacted.
1. Can anyone confirm if these versions or affected?
2. If they are affected, what can be done? Should we upgrade to Struts
2.x?
The notification below only talks about struts 2.x version.
-Deepak
PURPOSE
-------------
The purpose of this Alert is to bring attention to a recently announced
security vulnerability for Apache Struts.
ASSESSMENT
------------------
Apache Struts up to 2.3.16.1 is being reported as having a zero-day
vulnerability. In particular, Struts 2.3.16.1 has an issue with ClassLoader
manipulation via request parameters which was supposed to be resolved on 2
March 2014 through a security fix. Unfortunately, it was confirmed that the
correction wasn't sufficient.
According to the Apache Struts Team, a security fix release fully addressing
all these issues is in preparation and will be released as soon as possible.
Once the release is available, all Struts 2 users are strongly encouraged to
update their installations.
SUGGESTED ACTION
----------------------------
The Apache Struts Team has published the following mitigation information:
In the struts.xml, replace all custom references to params-interceptor with the
following code, especially regarding the class-pattern found at the beginning
of the excludeParams list:
<interceptor-ref name="params">
<param
name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
If you are using default interceptor stacks packaged in struts-default.xml,
change your parent packages to a customized secured configuration as in the
following example. Given you are using defaultStack so far, change your
packages from
<package name="default" namespace="/" extends="struts-default">
<default-interceptor-ref name="defaultStack" />
...
...
</package>
to
<package name="default" namespace="/" extends="struts-default">
<interceptors>
<interceptor-stack name="secureDefaultStack">
<interceptor-ref name="defaultStack">
<param
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="secureDefaultStack" />
...
</package>
References:
=================
http://struts.apache.org/announce.html#a20140302
IMPORTANT NOTICE: This email is intended solely for the use of the individual
to whom it is addressed and may contain information that is privileged,
confidential or otherwise exempt from disclosure under applicable law. If the
reader of this email is not the intended recipient or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, please immediately return the original message to the sender at the
listed email address. In accordance with Kewill policy, emails sent and
received may be monitored. Although Kewill takes reasonable precautions to
minimize the risk, Kewill accepts no responsibility for any loss or damage
should this email contain any virus, or similar destructive or mischievous code.
