=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN112
_____________________________________________________________________

DATE                : 25/04/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Struts version 2 up to
                           and including 2.3.16.1.

======================================================================
https://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C53592E84.5010505@apache.org%3E
http://struts.apache.org/announce.html#a20140424
______________________________________________________________________

In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately, the correction
wasn't sufficient.

A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.

Once the release is available, all Struts 2 users are strongly
recommended to update their installations.

* Until the release is available, all Struts 2 users are strongly
recommended to apply the mitigation described [1] *

Please follow the Apache Struts announcement channels [2][3][4][5] to
stay updated regarding the upcoming security release. Most likely the
release will be available within the next 72 hours. Please prepare for
upgrading all Struts 2 based production systems to the new release
version once available.

- The Apache Struts Team.

[1] http://struts.apache.org/announce.html#a20140424
[2] http://struts.apache.org/mail.html
[3] http://struts.apache.org/announce.html
[4] https://plus.google.com/+ApacheStruts/posts
[5] https://twitter.com/TheApacheStruts

-- 
René Gielen
http://twitter.com/rgielen

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================