Security Issue with Struts 2 Framework

Nate Sarr

unread,

Aug 1, 2013, 8:54:35 AM8/1/13

to irp...@googlegroups.com

Hi Everyone,

Struts 2 has released an updated version that fixes a security vulnerability. You will need to rebuild your IR+ installation to make sure you are not vulnerable.

To do this, you will need to change the following section in ir_plus/ir_web/ivy.xml to use the new libraries from this

        
        <dependency org="org.apache.struts" name="struts2-core" rev="2.3.4" transitive="false">
            <artifact name="struts2-core" type="jar"/>
        </dependency>

        <dependency org="org.apache.struts" name="struts2-spring-plugin" rev="2.3.4" transitive="false">
            <artifact name="struts2-spring-plugin" type="jar"/>
        </dependency>

        <dependency org="org.apache.commons" name="commons-lang3" rev="3.1" transitive="false">
            <artifact name="commons-lang3" type="jar"/>
        </dependency>

        <dependency org="commons-fileupload" name="commons-fileupload" rev="1.2.1" transitive="false">
            <artifact name="commons-fileupload" type="jar"/>
        </dependency>

        <dependency org="org.freemarker" name="freemarker" rev="2.3.16" transitive="false">
            <artifact name="freemarker" type="jar"/>
        </dependency>

        <dependency org="ognl" name="ognl" rev="3.0.5" transitive="false">
            <artifact name="ognl" type="jar"/>
        </dependency>

        
        <dependency org="org.apache.struts.xwork" name="xwork-core" rev="2.3.4" transitive="false">
            <artifact name="xwork-core" type="jar"/>
        </dependency>

to :

        
        <dependency org="org.apache.struts" name="struts2-core" rev="2.3.15.1" transitive="false">
            <artifact name="struts2-core" type="jar"/>
        </dependency>

        <dependency org="org.apache.struts" name="struts2-spring-plugin" rev="2.3.15.1" transitive="false">
            <artifact name="struts2-spring-plugin" type="jar"/>
        </dependency>

        <dependency org="org.apache.commons" name="commons-lang3" rev="3.1" transitive="false">
            <artifact name="commons-lang3" type="jar"/>
        </dependency>

        <dependency org="commons-fileupload" name="commons-fileupload" rev="1.2.1" transitive="false">
            <artifact name="commons-fileupload" type="jar"/>
        </dependency>

        <dependency org="org.freemarker" name="freemarker" rev="2.3.20" transitive="false">
            <artifact name="freemarker" type="jar"/>
        </dependency>

        <dependency org="ognl" name="ognl" rev="3.0.6" transitive="false">
            <artifact name="ognl" type="jar"/>
        </dependency>

        
        <dependency org="org.apache.struts.xwork" name="xwork-core" rev="2.3.15.1" transitive="false">
            <artifact name="xwork-core" type="jar"/>
        </dependency>

You will also need to update your web.xml file to look like the following:

http://code.google.com/p/irplus/source/browse/branches/ir_plus-2.2-current-prod/ir_web/web-conf/web.xml

Let me know if you need any help.

-Nate

Paul Hoffman

unread,

Aug 26, 2013, 7:33:23 AM8/26/13

to irp...@googlegroups.com

> Hi Everyone,
>
> Struts 2 has released an updated version that fixes a security
> vulnerability. You will need to rebuild your IR+ installation to make sure
> you are not vulnerable.
> To do this, you will need to change the following section in
> ir_plus/ir_web/ivy.xml to use the new libraries from this

Thanks, Nate. Just in case it helps anyone else, here's the change in
ir_web/ivy.xml as a patch (for 2.0.8 but it should be easy to make this a patch
for other versions):

--- base/ir_web/ivy.xml 2013-08-26 14:31:02.816796519 +0530
+++ flo/ir_web/ivy.xml 2013-08-26 15:50:13.008797000 +0530
@@ -1,9 +1,9 @@

- <dependency org="org.apache.struts" name="struts2-core" rev="2.2.1" transitive="false">
+ <dependency org="org.apache.struts" name="struts2-core" rev="2.3.15.1" transitive="false">

- <dependency org="org.apache.struts" name="struts2-spring-plugin" rev="2.2.1" transitive="false">
+ <dependency org="org.apache.struts" name="struts2-spring-plugin" rev="2.3.15.1" transitive="false">

@@ -15,16 +15,16 @@

- <dependency org="org.freemarker" name="freemarker" rev="2.3.16" transitive="false">
+ <dependency org="org.freemarker" name="freemarker" rev="2.3.20" transitive="false">

- <dependency org="ognl" name="ognl" rev="3.0" transitive="false">
+ <dependency org="ognl" name="ognl" rev="3.0.6" transitive="false">

- <dependency org="org.apache.struts.xwork" name="xwork-core" rev="2.2.1" transitive="false">
+ <dependency org="org.apache.struts.xwork" name="xwork-core" rev="2.3.15.1" transitive="false">

On Thu, Aug 01, 2013 at 05:54:35AM -0700, Nate Sarr wrote:

> You will also need to update your web.xml file to look like the following:
>
> http://code.google.com/p/irplus/source/browse/branches/ir_plus-2.2-current-prod/ir_web/web-conf/web.xml

By "look like" I take it you mean "contain exactly" assuming that we
haven't made any customizations; right?

Paul.

--
Paul Hoffman <pa...@flo.org>
Systems Librarian
Fenway Libraries Online
c/o Wentworth Institute of Technology
550 Huntington Ave.
Boston, MA 02115
(617) 442-2384 (FLO main number)

Nate Sarr

unread,

Aug 26, 2013, 8:46:56 AM8/26/13

to irp...@googlegroups.com

Hi Paul,

Thanks for posting the patch! You are correct it should look exactly like that if you haven't made any customization

-Nate

--
You received this message because you are subscribed to the Google Groups "irplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irplus+un...@googlegroups.com.
To post to this group, send email to irp...@googlegroups.com.
Visit this group at http://groups.google.com/group/irplus.
For more options, visit https://groups.google.com/groups/opt_out.

Paul Hoffman

unread,

Aug 27, 2013, 6:23:16 AM8/27/13

to irp...@googlegroups.com

...and here's a better (i.e., not broken) patch that also updates
web.xml.

Paul.

struts2-security-patch.diff

Paul Hoffman

unread,

Aug 27, 2013, 6:34:27 AM8/27/13

to irp...@googlegroups.com

Hmm, nope, that generates an inscrutable unhandled exception report,
something in com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.

I gather this is something that manages something that validates
something that annotates something; but what???

Also, the commons-lang3 artifact is new; is this really needed, or is it
UR-specific?

Paul.

> --- base/ir_web/web-conf/web.xml 2011-02-08 14:55:04.000000000 -0500
> +++ flo/ir_web/web-conf/web.xml 2013-07-26 09:25:24.000000000 -0400
> @@ -49,11 +49,6 @@
>
> 
> - <filter>
> - <filter-name>struts-cleanup</filter-name>
> - <filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
> - </filter>
> -
> <filter>
> <filter-name>springSecurityFilterChain</filter-name>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> @@ -67,18 +62,13 @@
> </filter>
>
> <filter>
> - <filter-name>struts</filter-name>
> - <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
> + <filter-name>struts2</filter-name>
> + <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
> </filter>
>
>
> 
> <filter-mapping>
> - <filter-name>struts-cleanup</filter-name>
> - <url-pattern>/*</url-pattern>
> - </filter-mapping>
> -
> - <filter-mapping>
> <filter-name>OpenSessionInView</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> @@ -89,7 +79,7 @@
> </filter-mapping>
>
> <filter-mapping>
> - <filter-name>struts</filter-name>
> + <filter-name>struts2</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> --- base/ir_web/ivy.xml 2011-02-08 14:55:26.000000000 -0500
> +++ flo/ir_web/ivy.xml 2013-08-27 05:48:32.000000000 -0400
> @@ -32,31 +32,35 @@
> <dependency org="ur_tags" name="ur_tags" rev="2.0" transitive="false" changing="true"/>

>
> 
> - <dependency org="org.apache.struts" name="struts2-core" rev="2.2.1" transitive="false">
> + <dependency org="org.apache.struts" name="struts2-core" rev="2.3.15.1" transitive="false">
> <artifact name="struts2-core" type="jar"/>
> </dependency>
>
> - <dependency org="org.apache.struts" name="struts2-spring-plugin" rev="2.2.1" transitive="false">
> + <dependency org="org.apache.struts" name="struts2-spring-plugin" rev="2.3.15.1" transitive="false">
> <artifact name="struts2-spring-plugin" type="jar"/>
> </dependency>
>

> + <dependency org="org.apache.commons" name="commons-lang3" rev="3.1" transitive="false">
> + <artifact name="commons-lang3" type="jar"/>
> + </dependency>
> +

> <dependency org="commons-fileupload" name="commons-fileupload" rev="1.2.1" transitive="false">

> <artifact name="commons-fileupload" type="jar"/>
> </dependency>
>
> - <dependency org="org.freemarker" name="freemarker" rev="2.3.16" transitive="false">
> + <dependency org="org.freemarker" name="freemarker" rev="2.3.20" transitive="false">
> <artifact name="freemarker" type="jar"/>
> </dependency>
>
> - <dependency org="ognl" name="ognl" rev="3.0" transitive="false">
> + <dependency org="ognl" name="ognl" rev="3.0.6" transitive="false">
> <artifact name="ognl" type="jar"/>
> </dependency>
>
> 
> - <dependency org="org.apache.struts.xwork" name="xwork-core" rev="2.2.1" transitive="false">
> + <dependency org="org.apache.struts.xwork" name="xwork-core" rev="2.3.15.1" transitive="false">
> <artifact name="xwork-core" type="jar"/>
> </dependency>

> -
> +
> 
> <dependency org="jstl" name="jstl" rev="1.2" transitive="false">
> <artifact name="jstl" type="jar"/>

Paul Hoffman

unread,

Aug 27, 2013, 6:36:12 AM8/27/13

to irp...@googlegroups.com

Nate, is there any chance you could provide a patch so I can stop making
patches that don't work? :-)

Thanks,

Paul.

Reply all

Reply to author

Forward