Industry News

Equifax nemesis Apache Struts found vulnerable to 2-year old unpatched flaw; workaround available

Remember how an unpatched flaw in Apache Struts caused one of the biggest data breaches in history? It could happen again, if those using Apache Struts versions 2.3.x or lower fail to replace a file-upload component with a newer version.

Apache released an advisory this week urging users who run Apache Struts 2.3.x to update the commons-fileupload component, as bad actors could leverage a flaw to execute arbitrary code and deploy malware. The worrying part is that the flaw is two years old.

“Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. In November of 2016, a deserialization vulnerability was disclosed and patched in commons-fileupload. The vulnerability can lead to arbitrary remote code execution,” writes Johannes Ullrich, a network security researcher focusing on IPv6 and web application security.

Users running Struts 2.3.x making use of the file upload mechanism built into Struts are vulnerable. Users of Struts 2.5.x, however, are not vulnerable, as this newer version of includes a patched commons-fileupload component.

Ullrich explains:

“There is no simple ‘new Struts version’ to fix this. You will have to swap out the commons-fileupload library manually. Download version 1.3.3 and place it inside WEB-INF/lib, replacing the old version. For Maven-based projects, you will also need to update your dependencies (see the advisory for details).”

Users are directed to this link for the latest version. After performing this workaround, users should also double check that they don’t have any other copies of the vulnerable library residing elsewhere on their systems, as Struts isn’t the only software that incorporates this component.

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles. He likes fishing (not phishing), basketball, and playing around in FL Studio.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.