New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Apache Struts Susceptible to Two-Year Old Vulnerability

The Apache Software Foundation cautioned in a warning that the most recent variant of the Commons FileUpload library is vulnerable to a two-year-old remote code execution defect. If users utilize this library, they must update it by hand. The primary bug in Commons FileUpload library is a known vulnerability (CVE-2016-1000031) that permits remote code execution in the open-source system, which boosts creating web applications in the Java programming dialect. A Java Object lives in the Apache Commons FileUpload library that can be controlled with the goal that when it is deserialized, it can compose or duplicate records to circle in discretionary areas. “A remote attacker could exploit this vulnerability to take control of an affected system,” said the advisory released on Monday. “Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.” Apache Struts adaptations 2.3.36 and earlier utilize the vulnerable Commons FileUpload. 1.3.3. of the Commons FileUpload library is the most relevant version that users would need to update to in order to mitigate this issue.

Analyst Notes

Although there is no simple way to replace Struts with a new version, users must remove the commons-fileupload library manually. Users must also check their systems to make sure there is not a duplicate copy present due to the fact that Struts is not the only application that is using the Commons FileUpload. Though 1.3.3 is not the default Commons FileUpload, it can still be used in Apache Struts 2.3.36 or earlier. Users should note that they would need to manually remove the old Commons FileUpload that is vulnerable before they can upgrade to the version, 1.3.3, which cannot be deserialized.