Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Dynamic method executions

Maximum security rating

Important

Recommendation

Developers should immediately upgrade to Struts 2.3.15.2

Affected Software

Struts 2.0.0 - Struts 2.3.15.1

Reporter

Direct mail to security@struts.apache.org shine@wooyun.org, HelloWorld security team

CVE Identifier

CVE-2013-4316

...

Dynamic Method Invocation is a know vulnerable mechanismmechanism known to impose possible security vulnerabilities, but till until now it was enabled by default with warning that users should switch it off if possible.

...

In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml

Code Block
xml
xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
Note
titleBackward Compatibility

Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.

Warning

It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library.