Summary
Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | DoS attacks and ClassLoader manipulation |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.16.1 |
Affected Software | Struts 2.0.0 - Struts 2.3.16 |
Reporter | Mark Thomas (markt at apache.org),Przemysław Celej (p-celej at o2.pl) |
CVE Identifier |
|
Problem
Default upload mechanism in Apache Struts 2 based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to class parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.
Solution
In Struts 2.3.16.1, Commons FileUpload was updated to version 1.3.1 and "class" was added to excludeParams in struts-defaul.xml configuration of ParametersInterceptor.