Remote Code Execution in Apache Struts 3.0.1 through Expression Language Injection
Apache Struts versions 3.0.0 through 3.0.1 contain a critical vulnerability in the expression language (EL) processor that allows remote attackers to execute arbitrary code via crafted OGNL expressions in HTTP parameters when dynamic method invocation is enabled.
This section explains the vulnerability in everyday language, so anyone can understand the risk and impact.
A serious security flaw was found in Apache Struts, which is popular software used to build web applications. The vulnerability allows attackers to take complete control of servers running vulnerable versions of Struts by sending specially crafted web requests. This is particularly dangerous because an attacker doesn't need any special access or credentials - they just need to be able to send requests to the affected web application.
Think of it like finding a magic phrase that lets someone bypass all the security at a building's front desk and gain access to restricted areas. In this case, the 'magic phrase' is a specially formatted web request that tricks Struts into running whatever commands the attacker wants.
Affected Products
Remediation
1. Upgrade to Apache Struts version 3.0.2 or later
2. If immediate upgrade is not possible, disable dynamic method invocation by setting 'struts.enable.DynamicMethodInvocation=false' in struts.xml
3. Implement WAF rules to block requests containing suspicious OGNL expressions
4. Monitor systems for signs of exploitation