Your one-stop web resource providing safety and security information to manufacturers

The Apache Software Foundation released version of Apache Struts, the open-source framework for creating Java web applications, to address a Zero Day vulnerability. This is the second patch to fix the issue, the first one, issued in March, was just not a good patch.

It all started in March when the Apache Struts group released Struts, which supposedly fixed security issues: ClassLoader manipulation via request parameters, and an update to the Commons FileUpload library to prevent denial-of-service (DoS) attacks.

DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records
DDoS Attacks: Smarter, Faster, Severe
Stronger Voice Needed with Security Policies

As it turns out, the fix for the ClassLoader manipulation was not very good and as a result, Struts released.

Struts comes with improved excluded parameters to avoid ClassLoader manipulation via ParametersInterceptor. Excluded parameters have also been added to CookieInterceptor to “avoid ClassLoader manipulation when the interceptors is configured to accept all cookie names (wildcard matching via ‘*).”

Schneider Bold

All Struts 2 users should update their installations as soon as possible, officials said. Before version released, the Struts group published a method that could mitigate the attack. However, Struts officials recommend users install the latest variant rather than use the mitigation.

Additional details on the latest security update are available on the Struts website.

Pin It on Pinterest

Share This