Versions Compared

Old Version 1

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user René Gielen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

DoS attacks and ClassLoader manipulation

Maximum security rating

Important

Recommendation

Developers should immediately upgrade to Struts 2.3.16.12

Affected Software

Struts 2.0.0 - Struts 2.3.16.1

Reporter

Mark Thomas (markt at apache.orgPeter Magnusson (peter.magnusson at omegapoint.se), Przemysław Celej (p-celej at o2.pl)

CVE Identifier

 

Problem

CVE-2014-0050 (DoS), CVE-2014-0094 (ClassLoader manipulation)

Problem

The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulationDynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.

Solution

In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml

...

<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

16.1, Commons FileUpload was updated to version 1.3.1 and "class" was added to excludeParams in struts-default.xml configuration of ParametersInterceptor.

Backward compatibility

No backward compatibility problems are expected.

Workaround

If you cannot upgrade to version 2.3.16.2 which is strongly advised, you can apply below workarounds:

Upgrade commons-fileupload

The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the updated jar. For Maven
based Struts 2 projects, the following dependency needs to be added:

Code Block
<dependency>
    <groupId>commons-fileupload</groupId>
    <artifactId>commons-fileupload</artifactId>
    <version>1.3.1</version>
</dependency>

Exclude 'class' parameter

Simple add '^class\.*' to the list of excludeParams as below

Code Block
<interceptor-ref name="params">
  <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
Note
titleBackward Compatibility

Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.

Warning
It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library.