We (Apache Struts) do not share the exact PoCs anymore to reduce risk of informing attackers how to use given vulnerability, you can find some examples over the internet - that's all I can suggest.
2014-05-16 23:57 GMT+02:00 Deepak Subbanarasimha <d.subbanarasi...@kewill.com>: > Lukasz, > > Thank you for responding. This is very helpful. > > Do you have information on what kind of attacks this vulnerability would > expose systems to? Ex. Cross-Site scripting. Is there anything else? > > Do you have any suggestions on how to test this fix? > > Thanks, > Deepak > > -----Original Message----- > From: Lukasz Lenart [mailto:lukaszlen...@apache.org] > Sent: Monday, May 05, 2014 8:00 AM > To: Struts Users Mailing List > Subject: Re: Struts zero-day vulnerability > > Here you have more details [1] and just to point it out - Struts 1 reached > EOL [2] and no further development is expected! Consider migration to Struts2 > or any other modern framework. > > [1] > http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2d8va2wlzt > [2] http://struts.apache.org/struts1eol-announcement.html > > 2014-05-05 13:53 GMT+02:00 Deepak Subbanarasimha > <d.subbanarasi...@kewill.com>: >> Hello, >> >> We use struts version 1.2.2 and commons-file upload version 1.1.1. It is >> not clear from this notification if these versions are impacted. >> >> >> 1. Can anyone confirm if these versions or affected? >> >> 2. If they are affected, what can be done? Should we upgrade to Struts >> 2.x? >> >> The notification below only talks about struts 2.x version. >> >> -Deepak >> >> >> >> PURPOSE >> >> ------------- >> >> The purpose of this Alert is to bring attention to a recently announced >> security vulnerability for Apache Struts. >> >> >> >> ASSESSMENT >> >> ------------------ >> >> Apache Struts up to 2.3.16.1 is being reported as having a zero-day >> vulnerability. In particular, Struts 2.3.16.1 has an issue with ClassLoader >> manipulation via request parameters which was supposed to be resolved on 2 >> March 2014 through a security fix. Unfortunately, it was confirmed that the >> correction wasn't sufficient. >> >> >> >> According to the Apache Struts Team, a security fix release fully addressing >> all these issues is in preparation and will be released as soon as possible. >> Once the release is available, all Struts 2 users are strongly encouraged to >> update their installations. >> >> >> >> SUGGESTED ACTION >> >> ---------------------------- >> >> The Apache Struts Team has published the following mitigation information: >> >> >> >> In the struts.xml, replace all custom references to params-interceptor with >> the following code, especially regarding the class-pattern found at the >> beginning of the excludeParams list: >> >> >> >> <interceptor-ref name="params"> >> >> <param >> >> name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^doj >> o\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet( >> Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> >> >> </interceptor-ref> >> >> >> >> If you are using default interceptor stacks packaged in >> struts-default.xml, change your parent packages to a customized >> secured configuration as in the following example. Given you are using >> defaultStack so far, change your packages from >> >> >> >> <package name="default" namespace="/" extends="struts-default"> >> >> <default-interceptor-ref name="defaultStack" /> >> >> ... >> >> ... >> >> </package> >> >> to >> >> >> >> <package name="default" namespace="/" extends="struts-default"> >> >> <interceptors> >> >> <interceptor-stack name="secureDefaultStack"> >> >> <interceptor-ref name="defaultStack"> >> >> <param >> >> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[) >> .*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^s >> ervlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</pa >> ram> >> >> </interceptor-ref> >> >> </interceptor-stack> >> >> </interceptors> >> >> >> >> <default-interceptor-ref name="secureDefaultStack" /> >> >> ... >> >> </package> >> >> >> >> References: >> >> ================= >> >> http://struts.apache.org/announce.html#a20140302 >> >> IMPORTANT NOTICE: This email is intended solely for the use of the >> individual to whom it is addressed and may contain information that is >> privileged, confidential or otherwise exempt from disclosure under >> applicable law. If the reader of this email is not the intended recipient or >> the employee or agent responsible for delivering the message to the intended >> recipient, you are hereby notified that any dissemination, distribution, or >> copying of this communication is strictly prohibited. If you have received >> this communication in error, please immediately return the original message >> to the sender at the listed email address. In accordance with Kewill policy, >> emails sent and received may be monitored. Although Kewill takes reasonable >> precautions to minimize the risk, Kewill accepts no responsibility for any >> loss or damage should this email contain any virus, or similar destructive >> or mischievous code. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
