Apache warns Struts 2.3 is using a library with a two year old critical flaw

The Apache Software Foundation is warning organizations using certain versions of Struts 2 to update a library called “Commons FileUpload”, which contains a two-year old flaw that can lead to remote code execution attacks against public facing websites. 

The flaw affects projects using Struts 2.3.36 and prior, which use the Commons FileUpload library version 1.3.2. Applications on Struts 2.5.12 are not affected because they’re using the Commons FileUpload library version 1.3.3, which addressed a critical flaw disclosed in 2016. 

“Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior,” the Apache Struts team said in the advisory published today. 

“This is necessary to prevent your publicly accessible web site from being exposed to possible remote code execution attacks,” the team added. 

US-CERT has also urged admins running Struts version 2.3.36 and prior to review the advisory. 

The Commons FileUpload library, which is maintained by Apache Commons, is a tool to for adding file upload capabilities to web applications and Java servlets. Apache Struts 2 is a widely-used platform for creating Java-based web applications. 

In 2016 a critical deserialization bug was found in Commons FileUpload version 1.3.2 and prior, and was fixed in version 1.3.3. The bug was tracked as CVE-2016-1000031. 

The problem, as noted by Sans Institute’s Johannes Ullrich, is that Struts 2.3.x by default uses the vulnerable Commons FileUpload 1.3.2. 

The newer Struts, versions 2.5.x, instead by default uses the fixed Commons FileUpload version 1.3.3.  

Admins will need to manually update vulnerable Commons Fileupload library versions. 

“There is no simple "new Struts version" to fix this,” wrote Ullrich. 

“And while you are at it: Double check that you don't have any other copies of the vulnerable library sitting on your systems. Struts isn't the only one using it, and others may have neglected to update it as well,” he warned. 

Several tech vendors since 2016 have released patches for products that use vulnerable versions of Apache Commons FileUpload. IBM released a patch for the bug WebSphere Service Registry and Repository earlier this year, while Oracle in October patched the same flaw in its Micros CRM software.   

The Apache Software Foundation's last major security update to Struts 2 itself was in August and addressed a dangerous flaw that could be attacked remotely from a browser. Admins working with Struts 2.3 were told to update to 2.3.35, while users on Struts 2.5 were told to update to 2.5.17. 

Critical flaws in Struts are considered high risk because hackers have historically attacked them within days of their disclosure, as security firm Semmle noted at the time. The massive breach of US credit bureau Equifax in was also due to its use of a known vulnerable version of Struts.