Threat Management, Malware, Vulnerability Management

Apache Struts vulnerability would allow system take over

The Apache Software Foundation released an advisory addressing a vulnerability in Apache Struts which could allow a remote attacker to take control of an affected system.

The problem is the result of a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior, according to a Nov. 5 US-CERT advisory.

Researchers said projects are affected if they use the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload.

“The updated commons-fileupload library is a drop-in replacement for the vulnerable version,” according to an Apache advisory. “Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”

The National Cybersecurity and Communications Integration Center (NCCIC) encourages users and administrators of Apache Struts versions 2.3.36 and prior to upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.