Bugzilla – Bug 985813
VUL-0: CVE-2016-4430: struts: Bypassing token validation triggered by malicious expression
Last modified: 2016-06-21 07:44:48 UTC
https://struts.apache.org/docs/s2-038.html Summary It is possible to bypass token validation and perform a CSRF attack Who should read this All Struts 2 developers and users Impact of vulnerability Possible CSRF attack Maximum security rating Medium Recommendation Upgrade to Struts 2.3.29. Affected Software Struts 2.3.20 - Struts Struts 2.3.28.1 Reporter Takeshi Terada websec02 dot g02 at gmail.com CVE Identifier CVE-2016-4430 Problem It is possible to pass a malicious expression which can be used to bypass token validation and perform CSRF attack. Solution Upgrade to Apache Struts version 2.3.29. Backward compatibility Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments. Workaround You can try to use more restrictive RegEx used to clean up action names as below: <constant name="struts.allowed.action.names" value="[a-zA-Z]*" /> Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.
we do not ship struts 2, only struts 1