Struts2 Remote Code Execution Vulnerability (S2-057)
- Source:SANGFOR Security Center
- Date Published:2018-08-24
Definition From Encyclopedia
Apache Struts 2 is one of the most popular MVC-based JAVA Web server frameworks.
Struts2’s core is WebWork, handling user requests like interceptor and functions as a controller to establish data interaction between model and views. This design enables business logic controller be completely independent from Servlet API. Struts2 is upgraded from WebWork.
If value of namespace is not specified when struts-actionchaining.xml is configured and upper action(s) have no or have wildcard namespace, remote code execution may occur.
Likewise, if values of value and action are not specified when struts-actionchaining.xml is configured and and upper action(s) have no or have wildcard namespace, remote code execution may occur.
Globally, there are over 6,343 Struts2-based assets are open to the Internet, among which 1,218 are in China, as shown in the following figure.
The introduction above may be a little professional. To offer you an intuitive view of the vulnerability and the attack process, we reproduce the vulnerability.
1. Version of Struts 2 is between 2.3 and 2.3.34 or between 2.5 and 2.5.16.
Struts-actionchaining.xml is not configured with value of
We did the following test in a Struts2 environment with this vulnerability.
The vulnerability may be exploited by constructing an ognl expression in url with attributes of name in action tag and ending with action, as shown below:
The ognl expression is executed after the address is visited.
The path is also redirected to the one that has been set in
Struts 2.3 - Struts 2.3.34
Struts 2.5 - Struts 2.5.16
Other unsupported Struts versions.
Download or upgrade to the latest version (2.3.35 or 2.5.17), since Apache has issued a new version that has this vulnerability fixed (http://archive.apache.org/dist/struts/)
This is a temporal weak workaround that verify namespace in all XML configurations if upper action(s) have no or have wildcard namespace set, and verify in JSP the value and action in all url tags.
Link: Apache Wiki https://cwiki.apache.org/confluence/display/WW/S2-057
Sangfor Security Cloud has been updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.
If you are not sure whether your business systems have this vulnerability, sign in to Sangfor Visioner to apply for a 30-day free trial and check security health (http://saas.sangfor.com.cn)
For Sangfor NGAF customers, simply turn on the corresponding security protection feature.