Apache Struts2 Remote Command Execution (S2-053)
Description
Apache Struts 2 versions prior to 2.3.34 and 2.5.12 contain a remote code execution vulnerability in the Freemarker template engine integration. When developers incorrectly use dynamic expressions instead of string literals within Freemarker tags, attackers can inject and execute arbitrary OGNL expressions, leading to complete system compromise. This vulnerability affects applications that process user-controlled input in Freemarker templates without proper sanitization.
Remediation
Immediately upgrade to Apache Struts 2.5.12 or later (recommended), or Struts 2.3.34 or later if upgrading to 2.5.x is not feasible.
1. Update the Struts dependency in your project's build configuration (pom.xml for Maven or build.gradle for Gradle) to version 2.5.12 or higher
2. Review all Freemarker template usage to ensure string literals are used instead of dynamic expressions in tags
3. Verify that user input is never directly passed to Freemarker tag attributes without proper validation and sanitization
4. Test the application thoroughly after upgrading to ensure compatibility
5. If immediate patching is not possible, implement a web application firewall (WAF) rule to block requests containing suspicious OGNL expressions as a temporary mitigation
Incorrect usage example to avoid:
<@s.hidden name="${userInput}" />Correct usage example:
<@s.hidden name="fieldName" value="${userInput}" />