...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly |
Maximum security rating | Critical |
Recommendation | Developers should immediately upgrade to Struts 2.3.1.1 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability |
Affected Software | Struts 2.1.0 - Struts 2.3.1 |
Original JIRA Ticket | |
Reporter | Johannes Dahse, SEC Consult Vulnerability Lab |
CVE Identifier | CVE-2010-1870 TBD |
Original Description | Reported directly to security@struts.a.o and Struts 2 Security Vulnerability - Dynamic Method Invocation |
Problem
To prevent attackers calling arbitrary methods within parameters the flag "xwork.MethodAccessor.denyMethodExecution" is set to true and the SecurityMemberAccess field "allowStaticMethodAccess" is set to false by default. Also, to prevent access to context variables an improved character whitelist for paramteter names is applied in the ParameterInterceptor since Struts 2.2.1.1:
...