In association with heise online

23 January 2012, 13:08

Critical hole in Apache Struts 2 closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Struts logo The developers of the Apache Struts 2 Java web framework have released version 2.3.1.2. This closes a critical hole in versions of Struts from 2.0.0 to 2.3.1.1 that allowed for remote command execution. The vulnerability makes it possible for the protection around OGNL, an expression language used for getting and setting properties of Java objects, to be bypassed and arbitrary expressions be evaluated.

An example given in the advisory shows how an attacker could invoke the java.lang.Runtime.getRuntime().exec() method to run an arbitrary command if a vulnerable action existed. This is not the first time OGNL has been problematic; in 2008 and 2010, similar problems allowed for unauthorised manipulation and execution of Java classes.

Developers are strongly advised to update to Struts 2.3.1.2 which is available to download. Maven users will find details on how to update in the release notes. For installations that are unable to update, the advisory offers a configuration change which can mitigate the problem.

See also:

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-1419498
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit