Apache Software Foundation fixes code execution flaw in Apache Struts 2

The Apache Software Foundation addressed a possible remote code execution vulnerability in Struts 2 related to the OGNL technology.

The Apache Software Foundation has released a security update to address a “possible remote code execution” flaw in Struts 2 that is related to the OGNL technology. 

The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes.

“Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution – similar to S2-059.” reads the advisory published by the Apache Software Foundation. “Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”

Upon forcing OGNL evaluation using the %{…} syntax, tag’s attributes could perform double evaluation. Forced OGNL evaluation on untrusted input it is possible to achieve remote code execution.

In August, security researchers discovered a PoC code and exploit available on GitHub that that can be used to trigger the security vulnerabilities in Apache Struts 2. One of the two flaws was the CVE-2019-0230 is similar to CVE-2020-17530.

The CVE-2019-0230 could be triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expression that can result in a remote code-execution in the context of the affected application.

Depending on the privileges associated with the affected application, an attacker could perform multiple malicious activities, such as install applications; modify or delete data, or create new admin accounts.

The Apache Software Foundation also provided a workaround for the CVE-2020-17530 flaw, developers should make sure that forced OGNL evaluation is not used on untrusted input. 

The flaw affects Struts 2.0.0 to Struts 2.5.25 and was addressed with the release of Struts 2.5.26.

The Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory for the CVE-2020-17530 flaw.

“The Apache Software Foundation has released a security update to address a vulnerability in Apache Struts versions 2.0.0 to 2.5.25. A remote attacker could exploit this vulnerability to take control of an affected system.” states the CISA’s advisory.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Bulletin S2-061 and Apache security advisory for CVE-2020-17530 and apply the necessary update or workaround.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Struts 2)

[adrotate banner=”5″]

[adrotate banner=”13″]