The Apache Software Foundation released an advisory addressing a vulnerability in Apache Struts which could allow a remote attacker to take control of an affected system.
The problem is the result of a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior, according to a Nov. 5 US-CERT advisory.
Researchers said projects are affected if they use the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload.
“The updated commons-fileupload library is a drop-in replacement for the vulnerable version,” according to an Apache advisory. “Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”
The National Cybersecurity and Communications Integration Center (NCCIC) encourages users and administrators of Apache Struts versions 2.3.36 and prior to upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.