Apache Struts2 remote code execution vulnerability
Description
Apache Struts2 contains a remote code execution vulnerability caused by forced double evaluation of OGNL (Object-Graph Navigation Language) expressions in certain tag attributes. When user-controlled input is passed to affected tags, the framework evaluates the OGNL expression twice—first during initial processing and again during rendering. This double evaluation allows attackers to inject malicious OGNL statements that execute arbitrary code on the server.
Remediation
Apply the following remediation steps in order of priority:
1. Upgrade Apache Struts: Immediately upgrade to Struts 2.3.28 or later, which limits the malicious effects of forced double evaluation and includes additional security controls.
2. Validate and Sanitize Input: Implement strict input validation for all user-supplied data before it is used in tag attributes. Reject or sanitize any input containing OGNL expression syntax such as %{}, ${}, or #{}.
3. Avoid Forced Evaluation: Do not use the forced evaluation syntax %{...} in tag attributes unless absolutely necessary for your application's functionality. Review all JSP files and remove unnecessary forced evaluations.
4. Apply Defense in Depth: Configure a Web Application Firewall (WAF) to detect and block requests containing OGNL injection patterns as a temporary mitigation while upgrading.