About Apache Struts2(S2-045)vulnerability briefings-vulnerability warning-the black bar safety net


Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 (S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: A, vulnerability introduction Apache Struts is a United States Apache(the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. ApacheStruts 2.3.5 – 2.3. 31 version and 2. 5 – 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. Second, the vulnerability to hazards An attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. Third, the repair measures Currently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. Self-examination manner 用户 可 查看 web 目录 下 /WEB-INF/lib/ 目录 下 的 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. Upgrade repair Affected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts to eliminate the vulnerability. Temporary relief As the user inconvenient to upgrade, may take the following temporary solution: l delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available.