Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution vulnerability

Maximum security rating

Important

Recommendation

Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes.

Don't use %{...} or ${...} syntax referencing user modifiable input in tag attributes other than value unless you have a valid use-case.

Consider activating Proactive OGNL Expression Injection Protection if applicable

Alternatively upgrade to Struts 2.5.22 or greater

Affected Software

Struts 2.0.0 - Struts 2.5.20

Reporters

Matthias Kaiser, Apple Information Security

CVE Identifier

CVE-2019-0230

Problem

The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).

...

The ultimate fix is adding a proper validation of each value that's coming in and it's used in tag's attributes. Don't use forced evaluation of an attribute other than value using %{...} or ${...} syntax unless really needed for a valid use-case. 

...