Apache Struts2 Remote Command Execution (S2-048)
Description
Apache Struts 2.3.x contains a remote code execution vulnerability in the Struts 1 plugin example within the Struts2 Showcase application. The vulnerability occurs when raw, unsanitized user input is passed directly to ActionMessage constructors instead of using predefined resource keys, allowing attackers to inject and execute arbitrary code on the server.
Remediation
Immediately update to Apache Struts version 2.3.32 or later, or version 2.5.10.1 or later. Review all code that uses ActionMessage and ensure that only resource keys from property files are used, never raw user input or concatenated strings.
Correct implementation using resource keys:
messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));Vulnerable pattern to avoid (DO NOT USE):
messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));Conduct a comprehensive code review to identify and remediate all instances where user-controlled data is passed directly to ActionMessage constructors. Consider implementing input validation and output encoding as additional defense-in-depth measures.