Apache Struts users have to update FileUpload library to fix years-old flaws

Apache Struts Users have to update the Commons FileUpload library in Struts 2 that is affected by two vulnerabilities.

Apache Struts developers have addressed two vulnerabilities in the Commons FileUpload library in Struts 2, the flaws can be exploited for remote code execution and denial-of-service (DoS) attacks.

“Apache today released an advisory, urging users who run Apache Struts 2.3.x to update the commons-fileupload component [1]. Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. In November of 2016, a deserialization vulnerability was disclosed and patched in commons-fileupload [2]. The vulnerability can lead to arbitrary remote code execution.” states the SANS Institute.

“You are vulnerable if you run Struts 2.3.x, and if your site makes use of the file upload mechanism built into Struts. You are not vulnerable if you are running Struts 2.5.x. This newer version of Struts includes a patched commons-fileupload component.”

The Commons FileUpload library is the default file upload mechanism in Struts 2, it is affected by a critical remote code execution vulnerability tracked as CVE-2016-1000031.

CVE-2016-1000031 was discovered two years ago by experts at Tenable and it was addressed with the Commons FileUpload version 1.3.3 in June 2017.

“There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations.” stated Tenable in the security advisory.

“Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call,” 

Struts versions after 2.5.12 are already using version 1.3.3 of the library, while users have to manually update applications using Struts 2.3.36 and earlier by replacing the commons-fileupload JAR file in WEB-INF/lib with the patched version.

Commons FileUpload library Version 1.3.3 also addressed a DoS vulnerability, tracked as CVE-2014-0050, that was discovered in 2014, the issue was first patched in February 2014 with the release of version 1.3.1.

An attacker could exploit the flaw to trigger a DoS condition on publicly accessible sites.

“The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.1. This is necessary to prevent your publicly accessible web site from being exposed to possible DoS attacks [1] [2].” states the security advisory.

Summarizing, users have to check that their installs don’t use the vulnerable library.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Apache Struts, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]