Apache Struts 18.104.22.168 Released to Properly Fix Zero-Day Vulnerability
Last week, The Apache Software Foundation released version 22.214.171.124 of Apache Struts, the open-source framework for creating Java web applications, to address a zero-day vulnerability. The issue should have been patched since early March.
In March, the Apache Struts group announced Struts 126.96.36.199, which fixed a couple of security issues: ClassLoader manipulation via request parameters, and an update to the Commons FileUpload library to prevent denial-of-service (DOS) attacks.
It turns out that the fix for the ClassLoader manipulation issue wasn’t efficient. As a result, Struts 188.8.131.52 has been released.
Re: Apache Struts 184.108.40.206 Released to Properly Fix Zero-Day Vulnerability
UPDATE from Apache 2.4.10-dev
by Dennis Fisher July 17,2014
There are five vulnerabilities fixed in the latest release of the Apache Web server, including a buffer overflow and several denial-of-service vulnerabilities. Fixes for these flaws have landed in the developer release of the server, 2.4.10-dev.
The buffer overflow vulnerability is rated moderate by the Apache Software Foundation, but it could be used for remote code execution under the right circumstances. The flaw lies in the way that Apache handles updating the mod_status component. It’s caused by a race condition, and an attacker can exploit it without authentication.
“The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution,” says the advisory from HP’s Zero Day Initiative, which reported the vulnerability to Apache on behalf of the researcher who discovered it, Marek Kroemeke.