Security

Apache Software Foundation fixes code execution flaw in Apache Struts 2

The Apache Software Foundation addressed a possible remote code execution vulnerability in Struts 2 related to the OGNL technology.

The Apache Software Foundation has released a security update to address a “possible remote code execution” flaw in Struts 2 that is related to the OGNL technology. 

The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes.

“Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution – similar to S2-059.” reads the advisory published by the Apache Software Foundation. “Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”

Upon forcing OGNL evaluation using the %{…} syntax, tag’s attributes could perform double evaluation. Forced OGNL evaluation on untrusted input it is possible to achieve remote code execution.

In August, security researchers discovered a PoC code and exploit available on GitHub that that can be used to trigger the security vulnerabilities in Apache Struts 2. One of the two flaws was the CVE-2019-0230 is similar to CVE-2020-17530.

The CVE-2019-0230 could be triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expression that can result in a remote code-execution in the context of the affected application.

Depending on the privileges associated with the affected application, an attacker could perform multiple malicious activities, such as install applications; modify or delete data, or create new admin accounts.

The Apache Software Foundation also provided a workaround for the CVE-2020-17530 flaw, developers should make sure that forced OGNL evaluation is not used on untrusted input. 

The flaw affects Struts 2.0.0 to Struts 2.5.25 and was addressed with the release of Struts 2.5.26.

The Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory for the CVE-2020-17530 flaw.

“The Apache Software Foundation has released a security update to address a vulnerability in Apache Struts versions 2.0.0 to 2.5.25. A remote attacker could exploit this vulnerability to take control of an affected system.” states the CISA’s advisory.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Bulletin S2-061 and Apache security advisory for CVE-2020-17530 and apply the necessary update or workaround.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Struts 2)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

7 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

21 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.