In an advisory yesterday, the Apache Software Foundation reiterates its recommendation for users of Struts to make sure their installations run a version of the Commons FileUpload library newer than 1.3.2, lest they expose their projects to possible remote code execution attacks.
Versions of the library prior to 1.3.3 have a deserialization problem with a Java Object, which could be exploited to write or copy files to arbitrary locations on the disk.
According to the original advisory for the vulnerability, "while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call."
Unless there is a different mechanism to add file upload capability to web applications built with Struts, the framework defaults to the Commons FileUpload component.
The Foundation released the first alert on the matter in March. Since then, two new versions of Struts 2.3.x became available. The latest in the branch is Struts 2.3.36, released as a "General Availability" edition on October 15. Just like the versions it succeeded, it includes a vulnerable version of the library. This was possible because Common FileUpload was updated to 1.3.3 only in Apache Struts 2.5.12, while the 2.3.x branch continued to provide faulty releases.
The vulnerability referenced in the alert has been discovered two years ago and it received the identifier CVE-2016-1000031.
A similar alert was issued the day before yesterday, urging users to update the library to protect against a 2014 security bug that could cause a denial-of-service condition.
To eliminate the risk, users have to replace the faulty Commons FileUpload variant manually. This is achieved in already deployed applications by replacing the old version in "WEB-INF/lib" with the latest 'commons-fileupload' JAR file currently available for download.
Struts 2 projects based on Maven, the following dependency needs to be added:
commons-fileupload commons-fileupload 1.3.3
Johannes Ullrich of the SANS Internet Storm Center brings to the attention of administrators that they should check all their systems for the vulnerable library and remove it.
"Struts isn't the only one using it, and others may have neglected to update it as well," he says in a blog post.
Apache Struts versions from 2.5.12 and above are not affected because they already have the newer Commons FileUpload release.