Menu
Apache Struts security update disables vulnerable feature

Apache Struts security update disables vulnerable feature

Version 2.3.15.2 of the development framework also fixes an issue with the action mapping mechanism

A new version of the Apache Struts development framework released Friday fixes two problems that had developers worried.

Apache Struts is a popular open-source framework for developing Java-based Web applications and is maintained by the Apache Software Foundation. The newly released Struts 2.3.15.2 fixes issues that the software's developers had flagged as important.

A mechanism called the Dynamic Method Invocation (DMI) that's known to be a source of possible security vulnerabilities is disabled by default in the new Struts version.

The feature was enabled in previous versions, but users were advised to switch it off if possible. This can be done by setting the struts.enable.DynamicMethodInvocation option to false in struts.xml.

As a result of this latest change, developers who maintain applications that rely heavily on DMI might need to refactor them if they upgrade to Struts version 2.3.15.2.

The new release also addresses an issue with the "action:" prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.

"In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints," the Struts developers said in a security advisory.

Additional details about this problem have been intentionally withheld for security reasons until a large number of users upgrade to the new version.

The Struts default action mapping mechanism has been a source of critical security vulnerabilities in the past. Version 2.3.15.2 of the framework released in July added code to sanitize "action:"-prefixed information and completely removed support for the "redirect:" and "redirectAction:" prefixes.

One alternative is for developers to write their own action mapping implementation and stop using the "action:" prefix completely if their applications don't need support for multiple submit buttons, the Struts developers said.

Client-side Java attacks have been under the spotlight this year, but Java Web applications, including those created with Struts, can also be a target for hackers.

Last month, researchers from security vendor Trend Micro warned that attackers from China are using an automated tool to exploit known Struts vulnerabilities to break into servers that host applications developed with the framework.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags patch managementsoftwaretrend microapplication developmentpatchesApache Software FoundationExploits / vulnerabilities

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments