The group behind Apache have pushed out a new version of Struts, fixing two issues in the framework that were giving developers difficulties over the past several weeks.
The Apache Software Foundation posted version 2.3.15.3 of the framework online Tuesday. The release fixes an access control vulnerability and fixes a problem with the parameter “action: prefix” that existed in a previous build.
The broken access control vulnerability was thought to be fixed in 2.3.15.1 but contained a bug in the mapping mechanism that could be used to bypass security constraints. The vulnerability was discovered by two researchers at Huawei’s Product Security Incident Response Team but has been fixed in 2.3.15.3. Two constants were added that now prevent those bypasses.
The problem with “action: prefix” is actually an old problem too. It popped up last month after it was reported on WooYun, a third party Chinese platform for reporting security bugs. It was discovered that on 2.3.15.2 manipulating parameters prefixed with “action:”/”redirect:/”redirectAction:” could lead to remote command execution.
WooYun warned last weekend the same remote execution vulnerability was affecting Ona Mae, a Japanese domain registrar, however that website appears to be working fine now.
Since the broken access control vulnerability has been given an important security rating, anyone who uses the framework is being encouraged to download the updates. 2.3.15.3 is available in either the full distribution, or in one of three separate distributions: the library, source, example and documentation portions.
Struts is an open source framework used by developers to create Java-based web apps.
