...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote code execution |
Maximum security rating | Critical |
Recommendation | Developers should either apply the patch immediately upgrade to Struts 2.0.9 or upgrade to XWork immediately2.0.4 |
Affected Software | WebWork 2.1 (with altSyntax enabled), WebWork 2.2.0 - WebWork 2.2.5, Struts 2.0.0 - Struts 2.0.8 |
Non-Affected Software | WebWork 2.0, WebWork 2.1 (with altSyntax disabled, which is the default) |
Original JIRA Ticket |
...
The OGNL parsing code is actually in XWork and not in WebWork 2 or Struts 2.
Solution
The fixed version As of XWork changes 2.0.4, the OGNL parsing is changed so that it is not recursive. Therefore, in the example above, the result will be the expected %{1+1}. You can either obtain the latest version of WebWork 2.0.4 or Struts 2.0.9, which contains the fixed corrected XWork library, or download the fixed XWork library directly. Alternatively, you can obtain the patch and apply it to the XWork source code yourself.