Apache Software Foundation announces a security update for Apache Struts to address a vulnerability in the Commons FileUpload library that could lead to remote code execution. We recommend updating now.
On November 5, the Apache Software Foundation (ASF) published a security announcement to Apache Struts project administrators about CVE-2016-1000031, a vulnerability in the Commons FileUpload library originally reported by Tenable’s Research team in 2016. This library ships as part of Apache Struts 2 and is used as the default mechanism for file uploads. The ASF reports that Apache Struts 2.3.36 and prior are vulnerable. A remote attacker could use this vulnerability to gain remote code execution on publicly accessible websites running a vulnerable version of Apache Struts.
For details about this vulnerability, please review the Tenable Research Advisory for the Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution (LOBSTER).
Urgently required actions
The ASF confirms that Apache Struts version 2.5.12 and above include the patched version of the commons-fileupload library, version 1.3.3. If possible, Apache Struts project administrators should upgrade to 2.5.12 and above. The ASF also notes that the patched version of the commons-fileupload library can be dropped into projects that have already been deployed by simply replacing the JAR file in the WEB-INF/lib path with the fixed version. Maven based Struts projects can address this vulnerability by adding in the following dependency:
<dependency> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> <version>1.3.3</version> </dependency>
Identifying affected systems
A list of Nessus plugins to identify this vulnerability can be found here.
Get more information:
- Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
- CVE-2016-1000031 Detail
- Tenable Research Advisory: Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution