Summary
Remote Code Execution can be performed when using REST Plugin.Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | Important |
Recommendation | Upgrade to Struts 2.3.29. |
Affected Software | Struts 2.3.20 - Struts Struts 2.3.28.1 |
Reporter | Chao Jack PKAV_香草 jc1990999 at yahoo dot com Shinsaku Nomura nomura at bitforest dot jp |
CVE Identifier | CVE-2016-4438 |
Problem
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when using the REST Plugin.
Solution
Upgrade to Apache Struts version 2.3.29.
Backward compatibility
Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.
Workaround
Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspects.