Users must update their vulnerable libraries manually.
The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.
The critical bug in Commons FileUpload library is a known vulnerability (CVE-2016-1000031) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.
Essentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.