Apache Struts 2 remote code execution vulnerability(CVE-2 0 1 6-0 7 8 5)-vulnerability warning-the black bar safety net

2016-03-16T00:00:00
ID MYHACK58:62201672643
Type myhack58
Reporter 佚名
Modified 2016-03-16T00:00:00

Description

Apache Struts 2 is the world's most popular Java Web serverframework. Unfortunately, however, a security researcher in the Struts 2 on found a remote code execution vulnerability. Currently the Apache official published announcement, the vulnerability risk level is high risk. The black bar safety net Encyclopedia: Struts 2 Struts 2 is the Struts of the next generation of products, is in the struts 1 and WebWork technology based on a merge of the new Struts 2 framework. Its brand new Struts 2 architecture and Struts 1 architecture the difference is huge. Struts 2 with WebWork as the core, using the interceptor mechanism to deal with user's request, such design also makes the business logic controller to communicate with ServletAPI completely out of the opening, so Struts 2 can be understood as the WebWork of update products. Although from Struts 1 to Struts 2 has changed much, but relative to WebWork, Struts 2 little change. Today, a security researcher in the Struts 2 on found a serious remote code execution vulnerability, CVE-2 0 1 6-0 7 8 5, Struts 2 developers and users should be aware of this vulnerability, to prevent by unscrupulous attempt to person malicious use. The affected Struts 2 Version Struts 2.0.0 – Struts Struts 2.3.24.1 Repair recommendations When the re-allocation of incoming Struts tag attribute parameter, always validate Users are recommended Struts to upgrade to 2.3.25 version. The black bar safety net will continue to track reported the vulnerability details, please attention.