Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Possible Code Execution Flaw in Apache Struts

The Apache Software Foundation has released a security update for Struts 2, to address what is described as a “possible remote code execution” flaw related to the OGNL technology. 

The Apache Software Foundation has released a security update for Struts 2, to address what is described as a “possible remote code execution” flaw related to the OGNL technology. 

The open-source model-view-controller (MVC) web application framework, which allows developers to build Java apps, is known to have been impacted by critical vulnerabilities, many of them related to the OGNL technology that Struts 2 employs. 

Tracked as CVE-2020-17530, the newly addressed bug resides in “forced OGNL evaluation, when evaluated on raw user input in tag attributes,” according to an Apache advisory.

Specifically, when forced OGNL evaluation is applied using the %{…} syntax, tag’s attributes could perform double evaluation, the company says. Furthermore, remote code execution could be achieved when forced OGNL evaluation is used on untrusted input. 

A similar vulnerability (tracked as CVE-2019-0230) was addressed in August 2020, with the release of Struts 2.5.22. 

Double evaluation was included in Struts 2 by design, meant to be applied when referencing validated values in the given expression. When untrusted user input is referenced, however, malicious code could be injected. 

The workaround solution proposed by Apache is simple: developers should make sure that forced OGNL evaluation is not used on untrusted input. 

The vulnerability was found to affect Struts 2.0.0 to Struts 2.5.25 and was addressed in Struts 2.5.26, where checks are performed to ensure that expression evaluation won’t result in double evaluation.

The Cybersecurity and Infrastructure Security Agency (CISA) today published an advisory to inform on the availability of patches for CVE-2020-17530, warning that the flaw could allow an attacker to take over vulnerable systems and encouraging users and administrators to apply the available patch. 

Related: Oracle Products Affected by Exploited Apache Struts Flaw

Related: Critical Apache Struts Vulnerability Exploited in Live Attacks

Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.