Overview

The background of security vulnerability

Apache Struts2 is an open source project maintained by the American Apache Software Foundation, which implements an application framework based on the MVC design pattern, which can be used to efficiently create enterprise-level Java WEB applications. Recently, the New H3C Offensive and Defense Laboratory monitored that Apache Struts officially released a security bulletin about fixing the S2-059 remote code execution vulnerability, and conducted tracking and analysis.

The principle of the vulnerability

The vulnerability is located at the tag analysis. In the case of forced OGNL expression analysis in Struts tag attributes, Apache Struts2 does not perform security verification on the attribute values of certain tags, but directly performs secondary expression analysis. Attackers can trigger OGNL expression analysis by constructing malicious requests, thereby triggering remote code execution vulnerabilities.

For example, the server code is as follows:

<s:url var="url" namespace="/employee" action="list"/><s:a id="%{skillName}" href="%{url}">List available Employees</s:a>

If skillName is controllable, an attacker can pass in a malicious OGNL expression, and when the label is rendered, skillName will be parsed and executed a second time.

The scope of influence

Apache Struts 2.0.0 - 2.5.20

Solution

The official patch

Struts official has fixed this vulnerability in the new version, please upgrade to Struts 2.5.22 and above.

Download link:

https://struts.apache.org/download.cgi#struts2522

The solution of H3C

The exploit method of this vulnerability is similar to S2-029/036. The deployment of H3C IPS devices can easily defend against this vulnerability. Please upgrade the IPS signature database to the latest version and enable the relevant rules of Apache Struts2.

H3C security emergency response external service

H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.