Apache Struts Remote Code Execution (S2-057)
Description
Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16 contain a remote code execution vulnerability in the namespace handling mechanism. When an application uses action results with no defined namespace while their parent actions have either no namespace or use wildcard namespaces, attackers can manipulate the namespace value to execute arbitrary code. This vulnerability stems from insufficient validation of user-supplied namespace parameters during action mapping resolution.
Remediation
Immediately upgrade to Apache Struts version 2.3.35 or later for the 2.3.x branch, or version 2.5.17 or later for the 2.5.x branch. Follow these steps:
1. Update the Struts dependency in your project build file (pom.xml for Maven or build.gradle for Gradle) to the patched version
2. Rebuild and redeploy your application
3. Verify that all action mappings explicitly define namespaces rather than relying on wildcards or empty namespaces
4. Test the application thoroughly after upgrading to ensure compatibility
As a temporary mitigation if immediate patching is not possible, review and explicitly define namespaces for all actions and results in your struts.xml configuration file, avoiding wildcard or empty namespace declarations.