About Me

My photo
Reston, Virginia, United States
Mr Sheth is a wanna be technical evangelist with more than 17 years experience (# of years is just a number) , he is focused on functional programming and Cloud technologies. Mr Sheth works with a mission driven organization and is focused on helping students and educators to do their day to day work with ease and smartness. Currently he is working with Collegeboard as Cloud Architect with Enrollment Group. He started with core product that delivers Estimated Family Contribution (INASaurs team) and now helping powerfaids group with their cloud move. Recent achievements: - Helping engineer to learn new technologies in his group. Designed CDK workshop for programmatic infrastructure deployment. - Event driven task management system. - Designed passive monitoring system that notifies DevOps team with in 3 secs of event occurrence with complete details about the event. To enable this monitoring, it requires minimal changes for existing component or new components. This also gives complete visibility in deployed serverless stack as well as react/JavaScript based single page app.

Monday, March 10, 2014

Struts2 Security Vulnerability & Struts Upgrade to 2.3.16/2.3.15.x

About Struts 2 Framework

As we all know,
Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.
Apache Struts 2 was originally known as WebWork 2. After working independently for several years, the WebWork and Struts communities joined forces to create Struts2. This new version of Struts is simpler to use and closer to how Struts was always meant to be. 

 It has number of built in features, And that has made Struts 2.x one of the top choice for Web application developers along with Spring MVC . 


This blog will explain basic changes that developers needs to do for strtus 2.x upgrade to 2.3.16/2.3.15..

Struts 2 Framework upgrade to latest stable version 2.3.16/2.3.13.x

Last year (sometimes around June-July 2013) struts 2.x community identified following two security issues.
  • http://struts.apache.org/release/2.3.x/docs/s2-016.html
  • http://struts.apache.org/release/2.3.x/docs/s2-017.html
I happen to be one of the developer (like many other on earth) who has developed  application using struts 2.x.

 For fix following recommendation was given by struts community:

It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library

So, these vulnerability is there for all the struts 2.x version prior to 2.3.15.1.

 My guess is 95% off the apps till date is running on lower version of struts 2. The latest stable version is 2.3.16.


Changes needed for this Struts upgrade

Jar upgrade

Get jar distribution for struts version 2.3.15.3 from following location.
http://mirrors.gigenet.com/apache//struts/binaries/struts-2.3.15.3-all.zip



Changes in web.xml

org.apache.struts2.dispatcher.FilterDispatcher is deprecated

So instead of using following filter

<filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
  </filter>
  <filter>
    <filter-name>struts2-cleanup</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
Use
<filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>

Now clean up filter is not needed if you use StrutsPrepareAndExecuteFilter filter. Or you can use following two filters.

  

  <filter>
     <filter-name>struts-prepare</filter-name>
     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
     </filter><!-- struts 2 execute filter -->
     <filter>
     <filter-name>struts-execute</filter-name>
     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
     </filter>




Note: Apps that is using SiteMesh filter I would recommend to read struts 2.3.15.3 documentation carefully. Also read StrutsPrepareAndExecuteFilter documentation.

http://struts.apache.org/release/2.1.x/struts2-core/apidocs/org/apache/struts2/dispatcher/ng/filter/StrutsPrepareAndExecuteFilter.html

One change that I have observed is with the secure token (part of token interceptor). The default name of that s:token tag was struts.token. Now in version 2.3.16 it is changed to token. 

Example: On jsp/ftl page you have <s:token/> tag. 
And you are passing this tag as part of your AJAX post/get reqeuest.
 
This will be an issue if you have utilize this token as part of your AJAX call using javascript. Typically developers will submit the name of this token as hard coded value. So because of the change in this default token name all AJAX calls will not work (if there is hard coding done). So There are two solution for this.
  • Recommended: read token name from the hidden parameter and add post parameter with token name dynemically. So moving forward if the s:token tags default name is changed, you don't have to change anything.
  • When you put <s:token/> tag in your jsp/ftl, give name="${!somevalueFromServerConstant}" here "
    somevalueFromServerConstant" is a server side constant. The other change you have to do is when you return the new fresh value of this token from action class, create token with the same name (mean value of "somevalueFromServerConstant" should be passed in TokenHelper.setToken(somevalueFromServerConstant); on action side.
 

Apache Struts 2 basic requirement

  • Servlet API 2.4
  • JSP API 2.0
  • Java 5
Version Notes:
http://struts.apache.org/release/2.3.x/docs/version-notes-23153.html
The latest version for struts is 2.3.16 released in December 2013. Feel free to evaluate and use appropriate version for your project.
Note: This documentation is created after evaluating requirements for upgrade in for POC projects. Specific project requirements might require additional changes.


reference : http://struts.apache.org/development/2.x/
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)