Users of Apache Struts are encouraged to update to the latest version of Commons FileUpload library to prevent remote code execution and denial-of-service (DoS) attacks through vulnerabilities tracked as CVE-2016-1000031 and CVE-2014-0050 respectively.
As an open-source web application development framework, Struts uses a built in Commons FileUpload package to add the file upload capability to its users’ servlets and web applications. However, earlier versions of Struts starting with 2.3.36 are susceptible to remote code execution and DoS attacks through the built-in Commons FileUpload 1.3.2, which carries the two said vulnerabilities.
Apache's recommendation comes two years after the remote code execution (CVE-2016-1000031) was first discovered by Tenable, who found that a Java Object in Commons FileUpload library can be manipulated to write arbitrary files to disk if it is deserialized.
On the other hand, the vulnerability that could lead to a DoS attack (CVE-2014-0050) was disclosed by Apache back in 2014. According to the announcement, this vulnerability could allow a malicious threat actor to create a multipart request that causes Commons FileUpload to enter a loop that can be used for a DoS attack.
Fortunately, these vulnerabilities have been patched in the 1.3.3 version of Commons FileUpload. Apache Struts users, specifically those of versions 2.3.36 or earlier are encouraged to update accordingly.
Users are instructed to manually update to Commons FileUpload 1.3.3 by replacing the commons-fileupload JAR file in WEB-INF/lib with the new version. More detailed instructions can be found in this message from the Apache Struts team.
History and implications
Apache had last issued a security advisory a few months ago for a different remote code execution vulnerability (CVE-2018-11776) urging users to update to its latest version. Patched Apache vulnerabilities also seem to remain in the radar of threat actors, as proven by a new Mirai variant that reportedly targets CVE-2017-5638.
Staying ahead of these vulnerabilities remains important for all users, given how much of an impact an exploit can have. Cases like that of Apache show that when it comes to vulnerabilities, adept and prompt action is necessary not only by the developers involved but also by individual users.
Trend Micro™ Deep Security™ provides virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts. The Trend Micro™ TippingPoint® system provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.
The Trend Micro Deep Security solution protects user systems from any threat that might target CVE-2016-1000031 via the following deep packet inspection (DPI) rule:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.