Apache Struts 2.3.16.2 Released to Properly Fix Ze...

Webroot's picture
Printer-friendly versionPrinter-friendly versionPDF versionPDF version
  • Float this Topic to the Top

Apache Struts 2.3.16.2 Released to Properly Fix Zero-Day Vulnerability

Last week, The Apache Software Foundation released version 2.3.16.2 of Apache Struts, the open-source framework for creating Java web applications, to address a zero-day vulnerability. The issue should have been patched since early March.

In March, the Apache Struts group announced Struts 2.3.16.1, which fixed a couple of security issues: ClassLoader manipulation via request parameters, and an update to the Commons FileUpload library to prevent denial-of-service (DOS) attacks.

It turns out that the fix for the ClassLoader manipulation issue wasn’t efficient. As a result, Struts 2.3.16.2 has been released.

Re: Apache Struts 2.3.16.2 Released to Properly Fix Zero-Day Vulnerability

UPDATE from Apache 2.4.10-dev

 

by Dennis Fisher  July 17,2014

 

There are five vulnerabilities fixed in the latest release of the Apache Web server, including a buffer overflow and several denial-of-service vulnerabilities. Fixes for these flaws have landed in the developer release of the server, 2.4.10-dev.

 

The buffer overflow vulnerability is rated moderate by the Apache Software Foundation, but it could be used for remote code execution under the right circumstances. The flaw lies in the way that Apache handles updating the mod_status component. It’s caused by a race condition, and an attacker can exploit it without authentication.

 

“The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution,” says the advisory from HP’s Zero Day Initiative, which reported the vulnerability to Apache on behalf of the researcher who discovered it, Marek Kroemeke.

News Source : Apache Struts 2.3.16.2 Released to Properly Fix Ze...
Copy this html code to your website/blog to embed this press release.