For those interested in the Struts 1patch, please take a look at this:- http://en.sourceforge.jp/projects/terasoluna/wiki/StrutsPatch1-EN
You might want to leverage this, it is for 1.2.9, though. regards, yuta yoshida ________________________________________ From: Lukasz Lenart [lukaszlen...@apache.org] Sent: May 17, 2014: 2014 16:00 To: Struts Users Mailing List Subject: Re: Struts zero-day vulnerability We (Apache Struts) do not share the exact PoCs anymore to reduce risk of informing attackers how to use given vulnerability, you can find some examples over the internet - that's all I can suggest. 2014-05-16 23:57 GMT+02:00 Deepak Subbanarasimha <d.subbanarasi...@kewill.com>: > Lukasz, > > Thank you for responding. This is very helpful. > > Do you have information on what kind of attacks this vulnerability would > expose systems to? Ex. Cross-Site scripting. Is there anything else? > > Do you have any suggestions on how to test this fix? > > Thanks, > Deepak > > -----Original Message----- > From: Lukasz Lenart [mailto:lukaszlen...@apache.org] > Sent: Monday, May 05, 2014 8:00 AM > To: Struts Users Mailing List > Subject: Re: Struts zero-day vulnerability > > Here you have more details [1] and just to point it out - Struts 1 reached > EOL [2] and no further development is expected! Consider migration to Struts2 > or any other modern framework. > > [1] > http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2d8va2wlzt > [2] http://struts.apache.org/struts1eol-announcement.html > > 2014-05-05 13:53 GMT+02:00 Deepak Subbanarasimha > <d.subbanarasi...@kewill.com>: >> Hello, >> >> We use struts version 1.2.2 and commons-file upload version 1.1.1. It is >> not clear from this notification if these versions are impacted. >> >> >> 1. Can anyone confirm if these versions or affected? >> >> 2. If they are affected, what can be done? Should we upgrade to Struts >> 2.x? >> >> The notification below only talks about struts 2.x version. >> >> -Deepak >> >> >> >> PURPOSE >> >> ------------- >> >> The purpose of this Alert is to bring attention to a recently announced >> security vulnerability for Apache Struts. >> >> >> >> ASSESSMENT >> >> ------------------ >> >> Apache Struts up to 2.3.16.1 is being reported as having a zero-day >> vulnerability. In particular, Struts 2.3.16.1 has an issue with ClassLoader >> manipulation via request parameters which was supposed to be resolved on 2 >> March 2014 through a security fix. Unfortunately, it was confirmed that the >> correction wasn't sufficient. >> >> >> >> According to the Apache Struts Team, a security fix release fully addressing >> all these issues is in preparation and will be released as soon as possible. >> Once the release is available, all Struts 2 users are strongly encouraged to >> update their installations. >> >> >> >> SUGGESTED ACTION >> >> ---------------------------- >> >> The Apache Struts Team has published the following mitigation information: >> >> >> >> In the struts.xml, replace all custom references to params-interceptor with >> the following code, especially regarding the class-pattern found at the >> beginning of the excludeParams list: >> >> >> >> <interceptor-ref name="params"> >> >> <param >> >> name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^doj >> o\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet( >> Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> >> >> </interceptor-ref> >> >> >> >> If you are using default interceptor stacks packaged in >> struts-default.xml, change your parent packages to a customized >> secured configuration as in the following example. Given you are using >> defaultStack so far, change your packages from >> >> >> >> <package name="default" namespace="/" extends="struts-default"> >> >> <default-interceptor-ref name="defaultStack" /> >> >> ... >> >> ... >> >> </package> >> >> to >> >> >> >> <package name="default" namespace="/" extends="struts-default"> >> >> <interceptors> >> >> <interceptor-stack name="secureDefaultStack"> >> >> <interceptor-ref name="defaultStack"> >> >> <param >> >> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[) >> .*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^s >> ervlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</pa >> ram> >> >> </interceptor-ref> >> >> </interceptor-stack> >> >> </interceptors> >> >> >> >> <default-interceptor-ref name="secureDefaultStack" /> >> >> ... >> >> </package> >> >> >> >> References: >> >> ================= >> >> http://struts.apache.org/announce.html#a20140302 >> >> IMPORTANT NOTICE: This email is intended solely for the use of the >> individual to whom it is addressed and may contain information that is >> privileged, confidential or otherwise exempt from disclosure under >> applicable law. If the reader of this email is not the intended recipient or >> the employee or agent responsible for delivering the message to the intended >> recipient, you are hereby notified that any dissemination, distribution, or >> copying of this communication is strictly prohibited. If you have received >> this communication in error, please immediately return the original message >> to the sender at the listed email address. In accordance with Kewill policy, >> emails sent and received may be monitored. Although Kewill takes reasonable >> precautions to minimize the risk, Kewill accepts no responsibility for any >> loss or damage should this email contain any virus, or similar destructive >> or mischievous code. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org ______________________________________________________________________ Disclaimer:This email and any attachments are sent in strictest confidence for the sole use of the addressee and may contain legally privileged, confidential, and proprietary data. If you are not the intended recipient, please advise the sender by replying promptly to this email and then delete and destroy this email and any attachments without any further use, copying or forwarding --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
