Menu
Apache Struts security update disables vulnerable feature

Apache Struts security update disables vulnerable feature

Version 2.3.15.2 of the development framework also fixes an issue with the action mapping mechanism

A new version of the Apache Struts development framework released Friday fixes two problems that had developers worried.

Apache Struts is a popular open-source framework for developing Java-based Web applications and is maintained by the Apache Software Foundation. The newly released Struts 2.3.15.2 fixes issues that the software's developers had flagged as important.

A mechanism called the Dynamic Method Invocation (DMI) that's known to be a source of possible security vulnerabilities is disabled by default in the new Struts version.

The feature was enabled in previous versions, but users were advised to switch it off if possible. This can be done by setting the struts.enable.DynamicMethodInvocation option to false in struts.xml.

As a result of this latest change, developers who maintain applications that rely heavily on DMI might need to refactor them if they upgrade to Struts version 2.3.15.2.

The new release also addresses an issue with the "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.

"In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints," the Struts developers said in a security advisory.

Additional details about this problem have been intentionally withheld for security reasons until a large number of users upgrade to the new version.

The Struts default action mapping mechanism has been a source of critical security vulnerabilities in the past. Version 2.3.15.2 of the framework released in July added code to sanitize "action:"-prefixed information and completely removed support for the "redirect:" and "redirectAction:" prefixes.

One alternative is for developers to write their own action mapping implementation and stop using the "action:" prefix completely if their applications don't need support for multiple submit buttons, the Struts developers said.

Client-side Java attacks have been under the spotlight this year, but Java Web applications, including those created with Struts, can also be a target for hackers.

Last month, researchers from security vendor Trend Micro warned that attackers from China are using an automated tool to exploit known Struts vulnerabilities to break into servers that host applications developed with the framework.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securitypatch managementsoftwaretrend microapplication developmentpatchesApache Software FoundationExploits / vulnerabilities

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments