The Apache Software Foundation has released a security update for Struts 2, to address what is described as a “possible remote code execution” flaw related to the OGNL technology.
The open-source model-view-controller (MVC) web application framework, which allows developers to build Java apps, is known to have been impacted by critical vulnerabilities, many of them related to the OGNL technology that Struts 2 employs.
Tracked as CVE-2020-17530, the newly addressed bug resides in “forced OGNL evaluation, when evaluated on raw user input in tag attributes,” according to an Apache advisory.
Specifically, when forced OGNL evaluation is applied using the %{…} syntax, tag’s attributes could perform double evaluation, the company says. Furthermore, remote code execution could be achieved when forced OGNL evaluation is used on untrusted input.
A similar vulnerability (tracked as CVE-2019-0230) was addressed in August 2020, with the release of Struts 2.5.22.
Double evaluation was included in Struts 2 by design, meant to be applied when referencing validated values in the given expression. When untrusted user input is referenced, however, malicious code could be injected.
The workaround solution proposed by Apache is simple: developers should make sure that forced OGNL evaluation is not used on untrusted input.
The vulnerability was found to affect Struts 2.0.0 to Struts 2.5.25 and was addressed in Struts 2.5.26, where checks are performed to ensure that expression evaluation won’t result in double evaluation.
The Cybersecurity and Infrastructure Security Agency (CISA) today published an advisory to inform on the availability of patches for CVE-2020-17530, warning that the flaw could allow an attacker to take over vulnerable systems and encouraging users and administrators to apply the available patch.
Related: Oracle Products Affected by Exploited Apache Struts Flaw
Related: Critical Apache Struts Vulnerability Exploited in Live Attacks
Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

More from Ionut Arghire
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
- Chrome 111 Update Patches High-Severity Vulnerabilities
- BreachForums Shut Down Over Law Enforcement Takeover Concerns
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
