Apache Struts security update disables vulnerable feature
A new version of the Apache Struts development framework released Friday fixes two problems that had developers worried.
Apache Struts is a popular open-source framework for developing Java-based Web applications and is maintained by the Apache Software Foundation. The newly released Struts 220.127.116.11 fixes issues that the software’s developers had flagged as important.
A mechanism called the Dynamic Method Invocation (DMI) that’s known to be a source of possible security vulnerabilities is disabled by default in the new Struts version.
The feature was enabled in previous versions, but users were advised to switch it off if possible. This can be done by setting the struts.enable.DynamicMethodInvocation option to false in struts.xml.
As a result of this latest change, developers who maintain applications that rely heavily on DMI might need to refactor them if they upgrade to Struts version 18.104.22.168.
The new release also addresses an issue with the “action:” prefix of the action mapping mechanism that can be used to attach navigation information to buttons within forms.
“In Struts 2 before 22.214.171.124, under certain conditions this can be used to bypass security constraints,” the Struts developers said in a security advisory.
Additional details about this problem have been intentionally withheld for security reasons until a large number of users upgrade to the new version.
The Struts default action mapping mechanism has been a source of critical security vulnerabilities in the past. Version 126.96.36.199 of the framework released in July added code to sanitize “action:”-prefixed information and completely removed support for the “redirect:” and “redirectAction:” prefixes.
One alternative is for developers to write their own action mapping implementation and stop using the “action:” prefix completely if their applications don’t need support for multiple submit buttons, the Struts developers said.
Client-side Java attacks have been under the spotlight this year, but Java Web applications, including those created with Struts, can also be a target for hackers.
Last month, researchers from security vendor Trend Micro warned that attackers from China are using an automated tool to exploit known Struts vulnerabilities to break into servers that host applications developed with the framework.