svn commit: r1589746 - /struts/site/trunk/source/announce.md

Thu, 24 Apr 2014 07:34:53 -0700 

Author: rgielen
Date: Thu Apr 24 14:34:10 2014
New Revision: 1589746

URL: http://svn.apache.org/r1589746
Log:
0day exploit mitigation announcment

Modified:
    struts/site/trunk/source/announce.md

Modified: struts/site/trunk/source/announce.md
URL: 
http://svn.apache.org/viewvc/struts/site/trunk/source/announce.md?rev=1589746&r1=1589745&r2=1589746&view=diff
==============================================================================
--- struts/site/trunk/source/announce.md (original)
+++ struts/site/trunk/source/announce.md Thu Apr 24 14:34:10 2014
@@ -2,13 +2,57 @@
 layout: default
 title: Announcements
 ---
-
 # Announcements
 
 <p class="pull-right">
   Skip to: <a href="announce-2013.html">Announcements - 2013</a>
 </p>
 
+#### <span id="a20140424"> 2 March 2014 - Struts up to 2.3.16.1: Zero-Day 
Exploit Mitigation
+
+In Struts 2.3.16.1, an issue with ClassLoader manipulation via request 
parameters was supposed to be resolved. Unfortunately, 
+the correction wasn't sufficient.
+
+A security fix release fully addressing this issue is in preparation and will 
be released as soon as possible.
+
+Once the release is available, all Struts 2 users are strongly recommended to 
update their installations.
+
+**Until the release is available, all Struts 2 users are strongly recommended 
to apply the following mitigation:**
+
+In your struts.xml, replace all custom references to params-interceptor with 
the following code, especially regarding the class-pattern
+found at the beginning of the excludeParams list:
+
+    <interceptor-ref name="params">
+       <param 
name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+    </interceptor-ref>
+
+If you are using default interceptor stacks packaged in struts-default.xml, 
change your parent packages to a customized secured configuration
+as in the following example. Given you are using defaultStack so far, change 
your packages from
+
+    <package name="default" namespace="/" extends="struts-default">
+        <default-interceptor-ref name="defaultStack" />
+        ...
+        ...
+    </package>
+
+to
+
+    <package name="default" namespace="/" extends="struts-default">
+        <interceptors>
+            <interceptor-stack name="secureDefaultStack">
+                <interceptor-ref name="defaultStack">
+                    <param 
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+                </interceptor-ref>
+            </interceptor-stack>
+        </interceptors>
+
+        <default-interceptor-ref name="secureDefaultStack" />
+        ...
+    </package> 
+
+Please follow the Apache Struts Announcements to stay updated regarding the 
upcoming security release. Most likely the release will be available within the 
next 72 hours.
+Please prepare for upgrading all Struts 2 based production systems to the new 
release version once available.
+
 #### <span id="a20140302"> 2 March 2014 - Struts 2.3.16.1 General Availability 
Release - Security Fix Release
 
 The Apache Struts group is pleased to announce that Struts 2.3.15.2 is 
available as a "General Availability"
@@ -65,4 +109,4 @@ All developers are strongly advised to p
 <p class="pull-left">
   <strong>Next:</strong>
   <a href="kickstart.html">Kickstart FAQ</a>
-</p>
+</p>
\ No newline at end of file

Reply via email to