Critical hole in Apache Struts 2 closed
Source: H Security - Posted by Dave Wreski   
Vendors/Products The developers of the Apache Struts 2 Java web framework have released version 2.3.1.2. This closes a critical hole in versions of Struts from 2.0.0 to 2.3.1.1 that allowed for remote command execution. The vulnerability makes it possible for the protection around OGNL, an expression language used for getting and setting properties of Java objects, to be bypassed and arbitrary expressions be evaluated. An example given in the advisory shows how an attacker could invoke the java.lang.Runtime.getRuntime().exec() method to run an arbitrary command if a vulnerable action existed. This is not the first time OGNL has been problematic; in 2008 and 2010, similar problems allowed for unauthorised manipulation and execution of Java classes.

Read this full article at H Security

Only registered users can write comments.
Please login or register.

Powered by AkoComment!