Apache Upgrade Repairs Struts, Fixes Two Vulnerabilities

Developers behind the Apache Struts framework have released an update that fixes two vulnerabilities.

Creators of the open-source web application framework are encouraging users to upgrade to Struts 2.3.15.2 immediately.

One of the fixes addresses an issue (CVE-2013-4316) in the Dynamic Method Invocation (DMI) feature that was previously thought to break users’ applications if relied on too heavily. It was previously enabled by default and flashed a warning that users should switch it off if possible. Now the feature is disabled by default – or if users want to employ a workaround, they can switch struts.enable.DynamicMethodInvocation to false in struts.xml.

The second fix involves a broken access control vulnerability issue (CVE-2013-4310) with Struts 2’s action mapping mechanism. A parameter in the mechanism was set up to support the prefix “action:” to make sure navigational information can be attached to buttons in forms. Unfortunately “under certain conditions” attackers could have used this feature to bypass security constraints. The update fixes the mechanism and restricts security constraints. Like the DMI issue, there’s a workaround, writing your own ActionMapper and, dropping support for “action:”

Part of the Apache Software Foundation, Struts is used by developers to build Java- based web apps. Those interested in learning more about the fixes can head to Apache’s version notes on Struts 2.3.15.2 and download what Apache is calling the “best available” version of the framework on its site.