On August 13, 2020, Apache officially issued a risk notice for the Struts2 remote code execution vulnerability, the vulnerability number is CVE-2019-0230, and the vulnerability level is a high risk, vulnerability score is 8.5. Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It utilizes and extends the Java Servlet API, encouraging developers to adopt the MVC architecture.
An attacker can construct a malicious OGNL expression and set it to be modified by external input, and execute the attribute value of the Struts2 tag of the OGNL expression, trigger the analysis of the OGNL expression, and ultimately cause the impact of remote code execution.
The vulnerability has three limitations:
Struts2 tag attribute values can execute OGNL expressions
The attribute value of Struts2 tag can be modified by external input
The attribute value of Struts2 tag is not verified by security
Only when the above three conditions are met, the attacker can construct malicious OGNL expressions to cause the impact of remote command execution.
- Apache Struts2：2.0.0-2.5.20
- Apache Struts Struts 2.5.22
In this regard, we recommend that users upgrade Apache Struts2 in time to fix this vulnerability. You can turn on ONGL expression injection protection measures.