Menu
Apache Struts security update disables vulnerable feature

Apache Struts security update disables vulnerable feature

Version 2.3.15.2 of the development framework also fixes an issue with the action mapping mechanism

A new version of the Apache Struts development framework released Friday fixes two problems that had developers worried.

Apache Struts is a popular open-source framework for developing Java-based Web applications and is maintained by the Apache Software Foundation. The newly released Struts 2.3.15.2 fixes issues that the software's developers had flagged as important.

A mechanism called the Dynamic Method Invocation (DMI) that's known to be a source of possible security vulnerabilities is disabled by default in the new Struts version.

The feature was enabled in previous versions, but users were advised to switch it off if possible. This can be done by setting the struts.enable.DynamicMethodInvocation option to false in struts.xml.

As a result of this latest change, developers who maintain applications that rely heavily on DMI might need to refactor them if they upgrade to Struts version 2.3.15.2.

The new release also addresses an issue with the "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.

"In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints," the Struts developers said in a security advisory.

Additional details about this problem have been intentionally withheld for security reasons until a large number of users upgrade to the new version.

The Struts default action mapping mechanism has been a source of critical security vulnerabilities in the past. Version 2.3.15.2 of the framework released in July added code to sanitize "action:"-prefixed information and completely removed support for the "redirect:" and "redirectAction:" prefixes.

One alternative is for developers to write their own action mapping implementation and stop using the "action:" prefix completely if their applications don't need support for multiple submit buttons, the Struts developers said.

Client-side Java attacks have been under the spotlight this year, but Java Web applications, including those created with Struts, can also be a target for hackers.

Last month, researchers from security vendor Trend Micro warned that attackers from China are using an automated tool to exploit known Struts vulnerabilities to break into servers that host applications developed with the framework.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securitypatch managementsoftwaretrend microapplication developmentpatchesApache Software FoundationExploits / vulnerabilities

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments