Remote Code Execution in Apache Struts 3.0.1 through Expression Language Injection
Apache Struts versions 3.0.1 through 3.0.8 contain a critical vulnerability in the expression language (EL) processor that allows remote attackers to execute arbitrary code via crafted OGNL expressions in HTTP request parameters when dynamic method invocation is enabled.
This section explains the vulnerability in everyday language, so anyone can understand the risk and impact.
This is a serious security flaw in Apache Struts, which is popular software used to build web applications. The vulnerability allows hackers to take complete control of servers running vulnerable versions of Struts by sending specially crafted web requests.
The problem occurs because Struts doesn't properly check and validate certain types of input from users before processing it. This means an attacker can send malicious code hidden inside what looks like a normal web request, and the server will run that code without realizing it's dangerous.
Once exploited, attackers could potentially steal data, install malware, or take full control of the affected server. This vulnerability is particularly concerning because it can be exploited remotely without needing any kind of login credentials.
Affected Products
Remediation
1. Upgrade to Apache Struts version 3.0.9 or later immediately
2. If immediate upgrade is not possible, disable dynamic method invocation by setting 'struts.enable.DynamicMethodInvocation=false' in struts.xml
3. Implement WAF rules to block requests containing suspicious OGNL expressions
4. Monitor systems for signs of exploitation
Sources & References
- nvdNVD Advisory
- vendorApache Security Bulletin