Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Apache Struts Zero Day and Mitigation - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apache Struts Zero Day and Mitigation

Thanks to Gebhard for letting us know about a new vulnerability in Apache Struts.

If you recall the classloader vulnerability of few months ago, the fix for that seems to be case and punctuation sensitive (using [] instead of "."  was not accounted for)

In any case, they have posted a mitigation how-to here: http://struts.apache.org/announce.html#a20140424

This affects all versions up to 2.3.16.1

Find more information on this here:
http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/

================
Rob VandenBrink
Metafore



 

Rob VandenBrink

489 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!