Author: lukaszlenart
Date: Thu Apr 24 14:55:15 2014
New Revision: 906730
Log:
Updates producrtion
Modified:
websites/production/struts/content/announce.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Thu Apr 24 14:55:15 2014
@@ -112,6 +112,48 @@
Skip to: <a href="announce-2013.html">Announcements - 2013</a>
</p>
+<h4><span id="a20140424"> 24 April 2014 - Struts up to 2.3.16.1: Zero-Day
Exploit Mitigation</h4>
+
+<p>In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately,
+the correction wasn't sufficient.</p>
+
+<p>A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.</p>
+
+<p>Once the release is available, all Struts 2 users are strongly recommended
to update their installations.</p>
+
+<p><strong>Until the release is available, all Struts 2 users are strongly
recommended to apply the following mitigation:</strong></p>
+
+<p>In your struts.xml, replace all custom references to params-interceptor
with the following code, especially regarding the class-pattern
+found at the beginning of the excludeParams list:</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text"><interceptor-ref name="params">
+ <param
name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+</interceptor-ref>
+</code></pre></div>
+<p>If you are using default interceptor stacks packaged in struts-default.xml,
change your parent packages to a customized secured configuration
+as in the following example. Given you are using defaultStack so far, change
your packages from</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text"><package name="default" namespace="/"
extends="struts-default">
+ <default-interceptor-ref name="defaultStack" />
+ ...
+ ...
+</package>
+</code></pre></div>
+<p>to</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text"><package name="default" namespace="/"
extends="struts-default">
+ <interceptors>
+ <interceptor-stack name="secureDefaultStack">
+ <interceptor-ref name="defaultStack">
+ <param
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+ </interceptor-ref>
+ </interceptor-stack>
+ </interceptors>
+
+ <default-interceptor-ref name="secureDefaultStack" />
+ ...
+</package>
+</code></pre></div>
+<p>Please follow the Apache Struts Announcements to stay updated regarding the
upcoming security release. Most likely the release will be available within the
next 72 hours.
+Please prepare for upgrading all Struts 2 based production systems to the new
release version once available.</p>
+
<h4><span id="a20140302"> 2 March 2014 - Struts 2.3.16.1 General Availability
Release - Security Fix Release</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
available as a "General Availability"
