Apache Struts Warns Users of Two-Year-Old Vulnerability

Users must update their vulnerable libraries manually.

The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.

The critical bug in Commons FileUpload library is a known vulnerability (CVE-2016-1000031) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.

Essentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.

Read more…
Source: ThreatPost