The Apache Software Foundation cautioned in a warning that the most recent variant of the Commons FileUpload library is vulnerable to a two-year-old remote code execution defect. If users utilize this library, they must update it by hand. The primary bug in Commons FileUpload library is a known vulnerability (CVE-2016-1000031) that permits remote code execution in the open-source system, which boosts creating web applications in the Java programming dialect. A Java Object lives in the Apache Commons FileUpload library that can be controlled with the goal that when it is deserialized, it can compose or duplicate records to circle in discretionary areas. “A remote attacker could exploit this vulnerability to take control of an affected system,” said the advisory released on Monday. “Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.” Apache Struts adaptations 2.3.36 and earlier utilize the vulnerable Commons FileUpload. 1.3.3. of the Commons FileUpload library is the most relevant version that users would need to update to in order to mitigate this issue.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is