Remember how an unpatched flaw in Apache Struts caused one of the biggest data breaches in history? It could happen again, if those using Apache Struts versions 2.3.x or lower fail to replace a file-upload component with a newer version.
Apache released an advisory this week urging users who run Apache Struts 2.3.x to update the commons-fileupload component, as bad actors could leverage a flaw to execute arbitrary code and deploy malware. The worrying part is that the flaw is two years old.
“Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. In November of 2016, a deserialization vulnerability was disclosed and patched in commons-fileupload. The vulnerability can lead to arbitrary remote code execution,” writes Johannes Ullrich, a network security researcher focusing on IPv6 and web application security.
Users running Struts 2.3.x making use of the file upload mechanism built into Struts are vulnerable. Users of Struts 2.5.x, however, are not vulnerable, as this newer version of includes a patched commons-fileupload component.
“There is no simple ‘new Struts version’ to fix this. You will have to swap out the commons-fileupload library manually. Download version 1.3.3 and place it inside WEB-INF/lib, replacing the old version. For Maven-based projects, you will also need to update your dependencies (see the advisory for details).”
Users are directed to this link for the latest version. After performing this workaround, users should also double check that they don’t have any other copies of the vulnerable library residing elsewhere on their systems, as Struts isn’t the only software that incorporates this component.