Remote Code Execution in Apache Struts Framework via OGNL Expression Injection
A critical vulnerability in Apache Struts versions 2.5.0 through 2.5.30 allows remote attackers to execute arbitrary code via crafted OGNL expressions in HTTP request parameters when Dynamic Method Invocation is enabled.
This section explains the vulnerability in everyday language, so anyone can understand the risk and impact.
This is a serious security flaw in Apache Struts, which is popular software used to build web applications. The vulnerability allows hackers to completely take over servers running vulnerable versions of Struts by sending specially crafted web requests.
When a server uses an affected version of Struts with certain features enabled, attackers can trick it into running any commands they want just by sending malicious web traffic. This could let them steal data, install malware, or cause other damage.
This type of vulnerability is especially dangerous because it can be exploited over the internet without needing any passwords or special access. Many major companies use Struts, making this a high-profile security issue.
Affected Products
Remediation
1. Upgrade to Apache Struts version 2.5.31 or later
2. If immediate upgrade is not possible, disable Dynamic Method Invocation by setting struts.enable.DynamicMethodInvocation=false in struts.xml
3. Implement WAF rules to block requests containing suspicious OGNL expressions
4. Monitor systems for exploitation attempts
Sources & References
- nvdNVD
- vendorApache Struts Security Advisory