Vulnerability Overview
Recently, Apache Software Foundation (ASF) has released a security advisory to strongly advise users of Apache Struts2.3.X to upgrade the Apache Commons FileUpload component. Struts 2.3.x, by default, uses the Commons FileUpload component of V1.3.2. Early in 2016, this component of V1.3.2 is disclosed to contain a deserialization vulnerability (CVE-2016-100031) which could result in arbitrary code execution.
Commons is a Java subproject of ASF and FileUpload is a subproject for handling HTTP file uploads. The Commons FileUpload component is mainly used to assist developers in implementing the web file upload function.
Reference link:
https://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E
Scope of Impact
Affected Versions
- Apache Struts <= 2.3.36
- Apache Common FileUpload < 1.3.3
Unaffected Versions
- Apache Struts >= 2.5.12
- Apache Common FileUpload 1.3.3
Vulnerability Check
- Version Check
This vulnerability exists in the Commons FileUpload component in Apache Struct2 of earlier versions. Application systems that use this component are susceptible to remote attacks. Therefore, application developers are advised to check whether this component used in Apache Struct 2 is vulnerable.
Check the version of this component in the Maven configuration file pom.xml as follows:
| <dependency>
<groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> <version>1.3.2</version> </dependency> |
If the component version indicated in red is vulnerable, users should upgrade the Common FileUpload component to an unaffected version for long-term effective protection.
Vulnerability Protection
- Official Update
A new version has been released officially to fix this vulnerability. Users of Apache Struts 2.3.x should upgrade this framework or the Common FileUpload component to the latest version as soon as possible to prevent risks brought by this vulnerability.
- Offline Update of the Common FileUpload Component
Users can replace the current the Common FileUpload library with a patched version for protection against this vulnerability. The detailed procedure is as follows:
- Download the Common FileUpload library V1.3.3 from the following address:
http://mirrors.hust.edu.cn/apache//commons/fileupload/binaries/commons-fileupload-1.3.3-bin.zip
- Use the patched version to replace the earlier version of the component under WEB-INF/lib.
- Restart middleware applications such as Tomcat and WebLogic.
- Application Recompilation for Update
Developers can recompile the application to update the Common FileUpload component by updating the Maven or Gradle configuration:
Maven configuration
| <!– https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload –>
<dependency> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> <version>1.3.3</version> </dependency> |
Gradle configuration
| // https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload
compile group: ‘commons-fileupload’, name: ‘commons-fileupload’, version: ‘1.3.3‘ |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
Founded in April 2000 and headquartered in Beijing, NSFOCUS Information Technology Co., Ltd. (NSFOCUS) has more than 40 branches and subsidiaries at home and abroad, providing most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors to ensure customers’ business continuity.
Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.
NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.
