Red Hat Bugzilla – Bug 1013036
CVE-2013-4316 struts: dynamic method executions is enabled by default
Last modified: 2013-09-30 02:54:59 EDT
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
In Struts 18.104.22.168 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
Upstream bug report: https://issues.apache.org/jira/browse/WW-4201
actual Struts version in fedora is 1.3.10
the problem is present only in Struts 2.0.0 and Struts 22.214.171.124
Please don't close bugs that are not assigned to you.
Yes, upstream indicates 2.0.0+ but that is only because 1.x is no longer supported (so they never indicate whether it is affected). Did you see the patch that corrects this issue and verify that it doesn't apply to 1.x? Or do you have something more concrete than just upstream's "affected versions" value to substantiate this claim?
"In Struts 126.96.36.199 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>"
1.x series is required by springframework and the file struts.xml is unavailable for 1.x
structs2 breaks compatibility also with the following package
velocity-tools (springframework BR/R)
i will not update structs2, until depend on tomcat6 apis, or SpringFramework and Velocity tools do not require more
Not Vulnerable. This issue only affects struts 2, it does not affect the versions of struts as shipped with various Red Hat products.