Apache Struts 2.3.x vulnerable to two year old RCE flaw

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.

The Apache Software Foundation is urging users that run Apache Struts 2.3.x to update the Commons FileUpload library to close a serious vulnerability that could be exploited for remote code execution attacks.

Apache Struts 2.3.x vulnerable

The probem

Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications. The Commons FileUpload library is used to add file upload capabilities to servlets and web applications.

The vulnerability (CVE-2016-1000031) is present in Commons FileUpload versions before 1.3.3, and arose due to the inclusion of a Java Object that can be manipulated to write or copy files to disk in arbitrary locations.

The vulnerability is present in Apache Struts 2.3.x because it uses the vulnerable version of the library (v1.3.2).

What you need to do

“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” the Foundation explained.

“The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.

The replacement must be done manually. And those who run Maven-based Struts projects must add a specified dependency.

Johannes Ullrich, Dean of Research at the SANS Technology Institute, also advised affected users to check whether they have other copies of the vulnerable library sitting on their systems.

“Struts isn’t the only one using it, and others may have neglected to update it as well,” he noted.

Those who run Struts 2.5.x are not affected because it includes the patched version of the library.

Critical Struts 2 flaws should be patched as soon as possible, lest they be exploited and lead to catastrophic consequences. (The massive Equifax breach was the result of an Apache Struts 2 flaw and lax patching practices).