cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] Apache Struts 2.3.x RCE Vulnerability When File Uploads Are Enabled
Chronological Thread
- From: Terry Fleury <tfleury@illinois.edu>
- To: cv-announce@trustedci.org
- Subject: [cv-announce-l] Apache Struts 2.3.x RCE Vulnerability When File Uploads Are Enabled
- Date: Tue, 6 Nov 2018 11:09:58 -0600
CI Operators and Developers:
Apache Struts 2.3.x [1] ships with Apache Commons FileUpload 1.3.2 which
contains a deserialization vulnerability which can lead to remote code
execution (RCE) [2]. This issue was fixed June 2017 in Commons
FileUpload 1.3.3 [3]. However, Apache Struts 2.3.36 ships with Commons
FileUpload 1.3.2 [4]. Apache Struts 2.5.x ships with an updated Commons
FileUpload, so it is not vulnerable.
Impact:
If you are using Apache Struts 2.3.x and have file uploads enabled, a
remote attacker could exploit the vulnerability in Commons FileUpload
1.3.2 to take control of the system.
Recommendation:
The updated Commons FileUpload 1.3.3 is a drop-in replacement for
FileUpload 1.3.2. Deployed applications can be updated by replacing
commons-fileupload.jar in the WEB-INF/lib directory with the updated jar
file. Note that the commons-fileupload.jar file may exist in multiple
locations on a system, so it is important to verify that all version are
1.3.3.
Affected Software:
- Apache Commons FileUpload < 1.3.3
- Apache Struts 2.3.x
References:
[1] https://goo.gl/KcVCcp
[2] https://issues.apache.org/jira/browse/FILEUPLOAD-279
[3] https://commons.apache.org/proper/commons-fileupload/
[4]
https://threatpost.com/apache-struts-warns-users-of-two-year-old-vulnerability/138820/
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to
each cyberinfrastructure deployment. Trusted CI (formerly CTSC) can not
provide a one-size-fits-all severity rating and response recommendation
for all NSF cyberinfrastructure. Please contact us
(http://trustedci.org/help/) if you need assistance with assessing the
potential impact of this vulnerability in your environment and/or you
have additional information about this issue that should be shared with
the community.
--
Terry Fleury
tfleury@illinois.edu
- [cv-announce-l] Apache Struts 2.3.x RCE Vulnerability When File Uploads Are Enabled, Terry Fleury, 11/06/2018
Archive powered by MHonArc 2.6.24.