SummaryAccess permission override causing a Denial of Service when performing a file upload
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Denial of Service
Maximum security rating
Upgrade to Struts 2.5.22 or greater
If this is not possible, add
Struts 2.0.0 - Struts 2.5.20
Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail.
In Struts prior to 2.5.22, stack-accessible values (e.g. Action properties) of type
java.nio.File as well as other classes from these standard library packages are not properly protected by the framework to deny access to potentially harmful underlying properties.
Upgrade to Struts 2.5.22 which excludes classes from
java.nio from property evaluation by default.
No issues expected when upgrading to Struts 2.5.22
While it is highly recommended to upgrade to Struts 2.5.22, if you are not able to do this you can mitigate the issue by adding
java.nio. to the value attribute of the
struts.excludedPackageNames constant in
Read more about the internal Struts security mechanism.