Security Alert (A18-11-01): Vulnerability in Commons FileUpload Library for Apache Struts and Other Java-based systems


 

Published on: 07 November 2018

  
  

Description:

A vulnerability in the Apache Commons FileUpload library discovered in 2016 affects Apache Struts systems. A remote attacker could exploit the vulnerability by uploading a specially crafted file to the affected system.

 

Affected Systems:

  • Apache Struts 2.5.11 and prior
  • Apache Struts 2.3.36 and prior
  • Other Java-based systems using Commons FileUpload library before version 1.3.3

 

Impact:

A successful attack could lead to arbitrary code execution on an affected system.

 

Recommendation:

Administrators of the affected systems should follow the recommendations provided by the Apache Software Foundation for Struts below and take immediate actions to mitigate the risk.

  • For Apache Struts 2.5.11 and priorSystem administrators should upgrade the Apache Struts to the latest version to address the issue. The latest version is available at:
    https://struts.apache.org/download.cgi

  • For Apache Struts 2.3.36 and prior
    Patch is not available for Apache Struts 2.3.x yet. System administrators should manually upgrade the vulnerable Commons FileUpload library to the latest version 1.3.3.

- Replace the "commons-fileupload" jar file in WEB-INF/lib with the fixed jar file; or
- Add the following dependency for Maven-based projects:

<dependency>
     <groupId>commons-fileupload</groupId>
     <artifactId>commons-fileupload</artifactId>
     <version>1.3.3</version>
</dependency>

For details, please refer to
http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E

  • For other Java-based systems
    The Common FileUpload library could also be used in Java-based systems other than Apache Struts. System administrators are recommended to check whether the vulnerable library is adopted in other systems. If so, the vulnerable library should be upgraded accordingly.

 

More Information:

https://www.us-cert.gov/ncas/current-activity/2018/11/05/Apache-Releases-Security-Advisory-Apache-Struts
http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E
https://issues.apache.org/jira/browse/FILEUPLOAD-279
https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
https://issues.apache.org/jira/browse/WW-4812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

 



Tag: Apache , Struts , Commons FileUpload
Tags