You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/04/24 16:51:55 UTC
svn commit: r1589758 - /struts/site/trunk/content/announce.html
Author: lukaszlenart
Date: Thu Apr 24 14:51:54 2014
New Revision: 1589758
URL: http://svn.apache.org/r1589758
Log:
Updates autogenerate page
Modified:
struts/site/trunk/content/announce.html
Modified: struts/site/trunk/content/announce.html
URL: http://svn.apache.org/viewvc/struts/site/trunk/content/announce.html?rev=1589758&r1=1589757&r2=1589758&view=diff
==============================================================================
--- struts/site/trunk/content/announce.html (original)
+++ struts/site/trunk/content/announce.html Thu Apr 24 14:51:54 2014
@@ -112,6 +112,48 @@
Skip to: <a href="announce-2013.html">Announcements - 2013</a>
</p>
+<h4><span id="a20140424"> 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation</h4>
+
+<p>In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately,
+the correction wasn't sufficient.</p>
+
+<p>A security fix release fully addressing this issue is in preparation and will be released as soon as possible.</p>
+
+<p>Once the release is available, all Struts 2 users are strongly recommended to update their installations.</p>
+
+<p><strong>Until the release is available, all Struts 2 users are strongly recommended to apply the following mitigation:</strong></p>
+
+<p>In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern
+found at the beginning of the excludeParams list:</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text"><interceptor-ref name="params">
+ <param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+</interceptor-ref>
+</code></pre></div>
+<p>If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration
+as in the following example. Given you are using defaultStack so far, change your packages from</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text"><package name="default" namespace="/" extends="struts-default">
+ <default-interceptor-ref name="defaultStack" />
+ ...
+ ...
+</package>
+</code></pre></div>
+<p>to</p>
+<div class="highlight"><pre><code class="text language-text" data-lang="text"><package name="default" namespace="/" extends="struts-default">
+ <interceptors>
+ <interceptor-stack name="secureDefaultStack">
+ <interceptor-ref name="defaultStack">
+ <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
+ </interceptor-ref>
+ </interceptor-stack>
+ </interceptors>
+
+ <default-interceptor-ref name="secureDefaultStack" />
+ ...
+</package>
+</code></pre></div>
+<p>Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
+Please prepare for upgrading all Struts 2 based production systems to the new release version once available.</p>
+
<h4><span id="a20140302"> 2 March 2014 - Struts 2.3.16.1 General Availability Release - Security Fix Release</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.3.15.2 is available as a "General Availability"