Apache Struts vulnerability would allow system take over

News by Robert Abel

The Apache Software Foundation released an advisory addressing a vulnerability in Apache Struts which could allow a remote attacker to take control of an affected system.

The Apache Software Foundation released an advisory addressing a vulnerability in Apache Struts which could allow a remote attacker to take control of an affected system.

The problem is the result of a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior, according to a 5 November US-CERT advisory.

Researchers said projects are affected if they use the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload.

"The updated commons-fileupload library is a drop-in replacement for the vulnerable version," according to an Apache advisory. "Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar."

The National Cybersecurity and Communications Integration Center (NCCIC) encourages users and administrators of Apache Struts versions 2.3.36 and prior to upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events