Apache Struts 2.3.x vulnerable to two year old RCE flaw

From helpnetsecurity.com

The Apache Software Foundation is urging users that run Apache Struts 2.3.x to update the Commons FileUpload library to close a serious vulnerability that could be exploited for remote code execution attacks.

Apache Struts 2.3.x vulnerable

The probem

Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications. The Commons FileUpload library is used to add file upload capabilities to servlets and web applications.

The vulnerability (CVE-2016-1000031) is present in Commons FileUpload versions before 1.3.3, and arose due to the inclusion of a Java Object that can be manipulated to write or copy files to disk in arbitrary locations.

The vulnerability is present in Apache Struts 2.3.x because it uses the vulnerable version of the library (v1.3.2).

Read more…