|Home > Security Bulletins > S2-019|
Dynamic Method Invocation disabled by default
|Who should read this||All Struts 2 developers and users|
|Impact of vulnerability||Dynamic method executions|
|Maximum security rating||Important|
|Recommendation||Developers should immediately upgrade to Struts 184.108.40.206|
|Affected Software||Struts 2.0.0 - Struts 220.127.116.11|
|Reporterfirstname.lastname@example.org, HelloWorld security team|
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
In Struts 18.104.22.168 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml
Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.
|It is strongly recommended to upgrade to Struts 22.214.171.124, which contains the corrected Struts2-Core library.|