Summary
Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | DoS attacks and ClassLoader manipulation |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.16.1 |
Affected Software | Struts 2.0.0 - Struts 2.3.16 |
Reporter | Mark Thomas (markt at apache.org),Przemysław Celej (p-celej at o2.pl) |
CVE Identifier |
|
Problem
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
Solution
In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation
to false in struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
Backward Compatibility
Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.
It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library.