A remote code execution vulnerability exists in various versions of Apache Struts which may take over the control of a system in case a successful attack.
An independent security research group Semmle has released a finding confirmed by the Apache Foundation that a critical remote code execution flaw exists in the popular Struts 2 open source framework. This vulnerability is located in the core of Apache Struts 2 and impacts all supported versions of Struts 2.
The vulnerability originates from the insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. The exploit can be triggered just by visiting a specially crafted URL on the affected web server. It enables the attackers to execute malicious code and eventually take complete control over the targeted server on which the vulnerable application is running.
The vulnerability involves the injection of a payload as unvalidated input into a Struts application which is then evaluated and used to cause a remote code execution.
The exploit uses an obscure expression language called OGNL, used by only a few Java based frameworks such as Struts and Spring Web Flow. The OGNL expression payload results in a remote code execution that affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16.
The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of URL tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.
Successful exploitation leads to execution of an arbitrary code in the security context of the targeted system or the affected application.
Apache Struts versions:
All applications that use Apache Struts supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) are potentially vulnerable to this flaw, even without enabling any additional plugins.
The following conditions indicate that Apache Struts is vulnerable to the Remote Code Execution flaw:
Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Both of these versions contain the security fixes only, and no backward incompatibility issues are expected. All clients using vulnerable versions of the Apache Struts are advised to upgrade to the patched versions as soon as possible.