The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.
The critical bug in Commons FileUpload library is a known vulnerability (CVE-2016-1000031) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.
Essentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.
“A remote attacker could exploit this vulnerability to take control of an affected system,” according to the Monday advisory. “Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”
The vulnerable commons-fileupload library is used in Apache Struts versions 2.3.36 and prior, the Foundation said in a Monday advisory. They urged users to upgrade to the latest released version of Commons FileUpload library – which is 1.3.3.
The vulnerability is reminiscent of CVE-2017-5638, another critical remote code execution Apache vulnerability behind the massive 2017 Equifax breach that led to the compromise of 143 million Americans’ data.
While that Apache Struts vulnerability (impacting the Jakarta based file upload Multipart parser) was patched back in March 2017, the consumer credit reporting agency didn’t apply patches for two months after the flaw’s disclosure – eventually leading to the groundbreaking breach.
Similarly, this latest deserialization vulnerability was disclosed and patched in commons-fileupload in March, but since then a new version of Struts that became available – the 2.3.36 version, which was released in October – has touted vulnerable versions of the library.
Struts versions from 2.5.12 are not affected, as this newer version of Struts includes a patched commons-fileupload component.
Users can fix the risk by replacing the faulty library manually.
“There is no simple ‘new Struts version’ to fix this,” said Johannes Ullrich, dean of research at the SANS Institute, in a blog post on Monday. “You will have to swap out the commons-fileupload library manually.”
“And while you are at it: Double check that you don’t have any other copies of the vulnerable library sitting on your systems,” he added. “Struts isn’t the only one using it, and others may have neglected to update it as well.”
It is only the latest security issue to afflict Apache Struts – earlier in August for instance, a critical remote code-execution vulnerability in Apache Struts 2 was disclosed.
