Apache Struts Patches Remote Code Execution Vulnerability in FileUpload Library (CVE-2016-1000031)
Apache Software Foundation announces a security update for Apache Struts to address a vulnerability in the Commons FileUpload library that could lead to remote code execution. We recommend updating now.
Antecedentes
On November 5, the Apache Software Foundation (ASF) published a security announcement to Apache Struts project administrators about CVE-2016-1000031, a vulnerability in the Commons FileUpload library originally reported by Tenable’s Research team in 2016. This library ships as part of Apache Struts 2 and is used as the default mechanism for file uploads. The ASF reports that Apache Struts 2.3.36 and prior are vulnerable. A remote attacker could use this vulnerability to gain remote code execution on publicly accessible websites running a vulnerable version of Apache Struts.
Vulnerability details
For details about this vulnerability, please review the Tenable Research Advisory for the Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution (LOBSTER).
Urgently required actions
The ASF confirms that Apache Struts version 2.5.12 and above include the patched version of the commons-fileupload library, version 1.3.3. If possible, Apache Struts project administrators should upgrade to 2.5.12 and above. The ASF also notes that the patched version of the commons-fileupload library can be dropped into projects that have already been deployed by simply replacing the JAR file in the WEB-INF/lib path with the fixed version. Maven based Struts projects can address this vulnerability by adding in the following dependency:
<dependency> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> <version>1.3.3</version> </dependency>
Identificación de los sistemas afectados
A list of Nessus plugins to identify this vulnerability can be found here.
Get more information:
- Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
- CVE-2016-1000031 Detail
- Tenable Research Advisory: Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Artículos relacionados
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
Tenable Cloud Security Study Reveals a Whopping 95% of Surveyed Organizations Suffered a Cloud-Related Breach Over an 18-Month Period
May 14, 2024The finding from the Tenable 2024 Cloud Security Outlook study is a clear sign of the need for proactive and robust cloud security. Read on to learn more about the study’s findings, including the main challenges cloud security teams face, their strategies for better protecting their cloud infrastructure and the tools they use to measure success.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
- Vulnerability Management
- Vulnerability Scanning