Critical hole in Apache Struts 2 closed
The developers of the Apache Struts 2 Java web framework have released version 126.96.36.199. This closes a critical hole in versions of Struts from 2.0.0 to 188.8.131.52 that allowed for remote command execution. The vulnerability makes it possible for the protection around OGNL, an expression language used for getting and setting properties of Java objects, to be bypassed and arbitrary expressions be evaluated.
An example given in the advisory shows how an attacker could invoke the
java.lang.Runtime.getRuntime().exec() method to run an arbitrary command if a vulnerable action existed. This is not the first time OGNL has been problematic; in 2008 and 2010, similar problems allowed for unauthorised manipulation and execution of Java classes.
Developers are strongly advised to update to Struts 184.108.40.206 which is available to download. Maven users will find details on how to update in the release notes. For installations that are unable to update, the advisory offers a configuration change which can mitigate the problem.
- ParameterInterceptor vulnerability allows remote command execution, Struts Security Advisory
- CVE-2011-3923: Yet another Struts2 Remote Code Execution, blog posting from Meder Kydyraliev, reporter of the issue