Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Struts 2.3 Vulnerable to Two Year old File Upload Flaw - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Struts 2.3 Vulnerable to Two Year old File Upload Flaw

Apache today released an advisory, urging users who run Apache Struts 2.3.x to update the commons-fileupload component [1]. Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. In November of 2016, a deserialization vulnerability was disclosed and patched in commons-fileupload [2]. The vulnerability can lead to arbitrary remote code execution.

You are vulnerable if you run Struts 2.3.x, and if your site makes use of the file upload mechanism built into Struts. You are not vulnerable if you are running Struts 2.5.x. This newer version of Struts includes a patched commons-fileupload component.

There is no simple "new Struts version" to fix this. You will have to swap out the commons-fileupload library manually. Download version 1.3.3 and place it inside WEB-INF/lib, replacing the old version. For Maven-based projects, you will also need to update your dependencies (see the advisory for details). You can find the latest version here: https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

And while you are at it: Double check that you don't have any other copies of the vulnerable library sitting on your systems. Struts isn't the only one using it, and others may have neglected to update it as well.

[1] http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox
[2] https://issues.apache.org/jira/browse/FILEUPLOAD-279

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3395 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!