Lukasz, Thank you for responding. This is very helpful.
Do you have information on what kind of attacks this vulnerability would expose systems to? Ex. Cross-Site scripting. Is there anything else? Do you have any suggestions on how to test this fix? Thanks, Deepak -----Original Message----- From: Lukasz Lenart [mailto:lukaszlen...@apache.org] Sent: Monday, May 05, 2014 8:00 AM To: Struts Users Mailing List Subject: Re: Struts zero-day vulnerability Here you have more details [1] and just to point it out - Struts 1 reached EOL [2] and no further development is expected! Consider migration to Struts2 or any other modern framework. [1] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2d8va2wlzt [2] http://struts.apache.org/struts1eol-announcement.html 2014-05-05 13:53 GMT+02:00 Deepak Subbanarasimha <d.subbanarasi...@kewill.com>: > Hello, > > We use struts version 1.2.2 and commons-file upload version 1.1.1. It is not > clear from this notification if these versions are impacted. > > > 1. Can anyone confirm if these versions or affected? > > 2. If they are affected, what can be done? Should we upgrade to Struts > 2.x? > > The notification below only talks about struts 2.x version. > > -Deepak > > > > PURPOSE > > ------------- > > The purpose of this Alert is to bring attention to a recently announced > security vulnerability for Apache Struts. > > > > ASSESSMENT > > ------------------ > > Apache Struts up to 2.3.16.1 is being reported as having a zero-day > vulnerability. In particular, Struts 2.3.16.1 has an issue with ClassLoader > manipulation via request parameters which was supposed to be resolved on 2 > March 2014 through a security fix. Unfortunately, it was confirmed that the > correction wasn't sufficient. > > > > According to the Apache Struts Team, a security fix release fully addressing > all these issues is in preparation and will be released as soon as possible. > Once the release is available, all Struts 2 users are strongly encouraged to > update their installations. > > > > SUGGESTED ACTION > > ---------------------------- > > The Apache Struts Team has published the following mitigation information: > > > > In the struts.xml, replace all custom references to params-interceptor with > the following code, especially regarding the class-pattern found at the > beginning of the excludeParams list: > > > > <interceptor-ref name="params"> > > <param > > name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^doj > o\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet( > Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> > > </interceptor-ref> > > > > If you are using default interceptor stacks packaged in > struts-default.xml, change your parent packages to a customized > secured configuration as in the following example. Given you are using > defaultStack so far, change your packages from > > > > <package name="default" namespace="/" extends="struts-default"> > > <default-interceptor-ref name="defaultStack" /> > > ... > > ... > > </package> > > to > > > > <package name="default" namespace="/" extends="struts-default"> > > <interceptors> > > <interceptor-stack name="secureDefaultStack"> > > <interceptor-ref name="defaultStack"> > > <param > > name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[) > .*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^s > ervlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</pa > ram> > > </interceptor-ref> > > </interceptor-stack> > > </interceptors> > > > > <default-interceptor-ref name="secureDefaultStack" /> > > ... > > </package> > > > > References: > > ================= > > http://struts.apache.org/announce.html#a20140302 > > IMPORTANT NOTICE: This email is intended solely for the use of the individual > to whom it is addressed and may contain information that is privileged, > confidential or otherwise exempt from disclosure under applicable law. If the > reader of this email is not the intended recipient or the employee or agent > responsible for delivering the message to the intended recipient, you are > hereby notified that any dissemination, distribution, or copying of this > communication is strictly prohibited. If you have received this communication > in error, please immediately return the original message to the sender at the > listed email address. In accordance with Kewill policy, emails sent and > received may be monitored. Although Kewill takes reasonable precautions to > minimize the risk, Kewill accepts no responsibility for any loss or damage > should this email contain any virus, or similar destructive or mischievous > code. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
