Code Evaluation (Apache Struts) S2-016
Description
Apache Struts 2 versions 2.0.0 through 2.3.15 contain a critical remote code execution vulnerability in the DefaultActionMapper component. This component processes special parameter prefixes ("action:", "redirect:", and "redirectAction:") intended for navigation shortcuts in form submissions. However, the framework fails to properly sanitize the values following these prefixes before evaluating them as OGNL (Object-Graph Navigation Language) expressions against the value stack. This allows attackers to inject and execute arbitrary OGNL code on the server by crafting malicious parameter values in HTTP requests.
Remediation
Immediately upgrade to Apache Struts 2.3.15.1 or later, which includes proper input sanitization for the DefaultActionMapper component. Follow these steps:
1. Update the Struts 2 dependency in your project build configuration (pom.xml for Maven or build.gradle for Gradle) to version 2.3.15.1 or higher
2. Rebuild and redeploy all affected applications
3. Test thoroughly to ensure compatibility with the updated framework
4. If immediate patching is not possible, implement a temporary workaround by creating a custom ActionMapper that restricts or disables the action:/redirect:/redirectAction: prefix functionality
5. Review application logs for any suspicious parameter patterns that may indicate exploitation attempts
Organizations unable to upgrade immediately should consider implementing web application firewall (WAF) rules to block requests containing suspicious OGNL expressions in parameter values, though this should only be considered a temporary mitigation until proper patching is completed.