There is an update to the Apache Struts framework that fixes two vulnerabilities.
To mark the seriousness of the update, the Apache Struts developers said users should upgrade to Struts 22.214.171.124 pronto.
One of the fixes for the open-source web application framework addresses a problem in the Dynamic Method Invocation (DMI) feature previously thought to break users’ applications if relied on too heavily. Developers previously enabled the application by default and flashed a warning that users should switch it off if possible. Now the feature is the opposite as the developers disabled it by default – or if users want to employ a workaround, they can switch struts.enable.DynamicMethodInvocation to false in struts.xml.
The second fix is for a broken access control vulnerability with Struts 2’s action mapping mechanism. A parameter in the mechanism was there to support the prefix “action:” to make sure navigational information can attach to buttons in forms. Under certain scenarios attackers could use this feature to bypass security constraints. The update fixes the mechanism and restricts security constraints. Like the DMI issue, there’s a workaround, writing your own ActionMapper and, dropping support for “action:”.
Part of the Apache Software Foundation, developers use Struts to build Java- based web applications.