问题
We have projects using Struts 2.0 and 2.1.
We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:
This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes.
Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most recent version: Struts v2.3.16.1
After research, we found there're consistent upgrades: http://struts.apache.org/announce.html
Therefore, we tried to upgrade our Struts2 to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts2, since everything doesn't work, including AJAX tags, AJX form submit, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.
One example is that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag. We don't want to re-write all the codes just because of the upgrade.
We want to know if we don't upgrade Struts2 to the latest version, what kind of vulnerabilities our web application will face. Could anyone give us more details or any hint for solutions based on our situation? Thanks so much.
回答1:
You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.
回答2:
One example is that whenever we submit our ajax form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag.
It seems you are using struts2 and struts 2 jquery plugin, so try to update to struts 2 jquery 3.7.0 too.
I recommend to accept some reworks and upgrade as some security issues are high.
There are some key parts which has changed and may need to be considered during upgrade like acceptableParameterName. Also review your param interceptor stack and list of exclude parameters.
来源:https://stackoverflow.com/questions/23499685/struts-2-security-vulnerability-issue