The Apache Software Foundation is warning organizations using certain versions of Struts 2 to update a library called “Commons FileUpload”, which contains a two-year old flaw that can lead to remote code execution attacks against public facing websites. The flaw affects projects using Struts 2.3.36 and prior, which use the Commons FileUpload library version 1.3.2. Applications on Struts 2.5.12 are not affected because they’re using the Commons FileUpload library version 1.3.3, which addressed a critical flaw disclosed in 2016. “Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior,” the Apache Struts team said in the advisory published today. “This is necessary to prevent your publicly accessible web site from being exposed to possible remote code execution attacks,” the team added. US-CERT has also urged admins running Struts version 2.3.36 and prior to review the advisory. The Commons FileUpload library, which is maintained by Apache Commons, is a tool to for adding file upload capabilities to web applications and Java servlets.
Read full news article on CSO