Apache Struts 1.2.9 with SP2 by TERASOLUNA

In the Beginning

Release of Apache Struts 1.2.9 with Security Patch 2 contributed by TERASOLUNA (Henceforth, Struts 1.2.9 sp2) in which the vulnerability of Apache Struts1 has been corrected with respect to Apache Struts 1.2.9 sp1 used by TERASOLUNA Framework.

  • CVE-2015-0899
    • In Struts 1.1~1.2.9-sp1 and 1.3.x, there is a vulnerability wherein it is possible to maliciously skip the input check by tampering with the value of request parameter "page" which is used in MultiPageValidator functionality (MPV Functionality).

Struts 1.2.9 sp2

In Struts 1.2.9 sp2, the following changes have been done on Struts 1.2.9 sp1.

  • Changes
  • Added a configuration item acceptPage in Struts configuration file(struts-config.xml).
    • If acceptPage configuration is not done, irrespective of the value of "page" attribute, input check will be executed
    • If acceptPage configuration is done, its value and value of "page" attribute is compared and the input check is performed based on the higher value.
  • For details, refer to functional detail document (TERASOLUNA Server Framework for Java(Web版) 機能説明書.pdf "WF-01 拡張入力チェック機能 - MultiPage-Validate(以下、MPV)機能の使用について" (Japanese only) P218.
  • Change Location

Update from Struts 1.2.9 sp1 to Struts 1.2.9 sp2

Replace the existing "Struts.jar" with the one provided in this patch. Only "Struts.jar" is to be replaced. Other jar files depending on this jar need not be replaced.

Build procedure from source-code

Below is the procedure to build the source code of struts-1.2.9-sp2 and create struts.jar file.

  1. Install JDK1.3.1_04
  2. Install apache-ant-1.6.1 and addition of Libraries
    Deploy apache-ant-1.6.1 and add the following libraries under lib folder of ant.
    • commons-logging-1.0.4.jar
    • junit-3.8.1.jar
    • xalan-2.5.1.jar
  3. Deploy source code of struts-1.2.9-sp2
    Unzip the zip file of source code in the directory of choice. Create lib folder in the struts-1.2.9-sp2-src folder.
  4. Deploy the jar files required for build
    Place the below jar files in the directory of choice
    • antlr-2.7.2.jar
    • checkstyle-2.4.jar
    • commons-beanutils-1.7.0.jar
    • commons-digester-1.6.jar
    • commons-fileupload-1.0.jar
    • commons-logging-1.0.4.jar
    • commons-validator-1.1.4.jar
    • junit-3.8.1.jar
    • log4j-1.2.14.jar
    • servletapi-2.3.jar
    • xerces-1.4.4.jar
    • oro-2.0.7.jar
    • jakarta-taglibs-standard-1.0
      • jstl.jar
      • standard.jar
    • jakarta-tomcat-4.0.6
      • jdbc2_0-stdext.jar
  5. Create configuration file for build
    Rename build.properties.sample to build.properties and change the paths in the file according the your own environment.
  6. Environment settings for build
    Set the below environment variables according to your own environment
    • JAVA_HOME
    • ANT_HOME
  7. Build using ant

Download

Reference

CVE - CVE-2015-0899

JVNDB-2015-000042 - JVN iPedia - Vulnerability Countermeasure Information Database

Disclaimer

Unless required by applicable law or agreed to in writing, Struts 1.2.9 sp2 distributed under the Apache License, Version 2.0 is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the Apache License, Version 2.0 for the specific language governing permissions and limitations under the License.

*TERASOLUNA is a registered trademark or trademark of NTT DATA Corporation in Japan and other countries.
*Other company names, product names and service names mentioned are trademarks or registered trademarks of the respective companies(owners).