Vulnerabilities have been discovered in Apache Struts which could allow remote code execution. Apache Struts is an open source, model-view-controller (MVC) framework used for building Java web applications. Successful exploitation could result in an attacker executing arbitrary code in the context of affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Versions 2.0.0 - 2.3.15.1
Vulnerabilities have been found in Apache Struts versions 2.0.0 - 2.3.15.1 which could allow for remote code execution. The details of these vulnerabilities are as follows:
Successful exploitation could result in an attacker executing arbitrary code in the context of affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Upgrade vulnerable Apache Struts products immediately after appropriate testing.
- Disable the Dynamic Method Invocation. In version 2.3.15.2, Dynamic Method Invocation is set to false by default.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Apply the principle of Least Privilege to all services.
http://struts.apache.org/release/2.3.x/docs/s2-018.html
http://struts.apache.org/release/2.3.x/docs/s2-019.html
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4316
SecurityFocus:
http://www.securityfocus.com/bid/62587