Remote Code Execution Vulnerability in Struts 2(S2-048)

Summary

    Apache Struts 2 is one of the most popular MVC-based JAVA Web server frameworks in the world. In effect, it is equivalent to Servlet and functions as a controller to establish data interaction between model and views. 

    If the plug-in Struts1(non-default plug-in) in Struts2 is enabled, the attackers can craft malicious field and plant it inside the system, which may then be brought into Action error messages and bring about remote code execution vulnerability.

Solution

    1.Use resource keys to pass original messages directly to ActionMessage, as shown below: 

    messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

    Instead of using the following:

    messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added

    2.Disable struts2-struts1-plugin (do not enable this plug-in unless necessary),  remove the file struts2-struts1-plugin-2.3.x.jar or move it from the directory /WEB-INF/lib to another one. 

    If Sangfor NGAF appliance has been deployed in your network, update vulnerability database to the version 20170708 or later version to defend against this vulnerability.