September 30, 2020

CVE-2019-0230: Apache Struts2 Remote Code Execution Vulnerability Alert

1 min read
On August 13, 2020, Apache officially issued a risk notice for the Struts2 remote code execution vulnerability, the vulnerability number is CVE-2019-0230, and the vulnerability level is a high risk, vulnerability score is 8.5. Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It utilizes and extends the Java Servlet API, encouraging developers to adopt the MVC architecture.
CVE-2018-11776
An attacker can construct a malicious OGNL expression and set it to be modified by external input, and execute the attribute value of the Struts2 tag of the OGNL expression, trigger the analysis of the OGNL expression, and ultimately cause the impact of remote code execution.
The vulnerability has three limitations:
  1. Struts2 tag attribute values ​​can execute OGNL expressions
  2. The attribute value of Struts2 tag can be modified by external input
  3. The attribute value of Struts2 tag is not verified by security
Only when the above three conditions are met, the attacker can construct malicious OGNL expressions to cause the impact of remote command execution.

Affected version

  • Apache Struts2:2.0.0-2.5.20

Unaffected version

  • Apache Struts Struts 2.5.22

Solution

In this regard, we recommend that users upgrade Apache Struts2 in time to fix this vulnerability. You can turn on ONGL expression injection protection measures.