Code Evaluation (Apache Struts) S2-046
Description
Apache Struts versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10 contain a remote code execution vulnerability in the file upload functionality. When processing multipart requests, the framework improperly handles exceptions triggered by malformed Content-Disposition or Content-Length headers. These exceptions are evaluated as OGNL expressions during error message generation, allowing attackers to inject and execute arbitrary code without authentication.
Remediation
Apply one of the following remediation steps immediately:
1. Upgrade Apache Struts (Recommended)
• For 2.3.x branch: Upgrade to version 2.3.32 or later
• For 2.5.x branch: Upgrade to version 2.5.10.1 or later
• Verify the upgrade by checking the struts-core JAR version in your application
2. Temporary Mitigation (if immediate upgrade is not possible)
• Implement a servlet filter to validate Content-Type headers and reject malformed multipart requests
• Restrict file upload functionality to authenticated users only
• Deploy a Web Application Firewall (WAF) with rules to detect and block exploitation attempts
3. Verification
• After remediation, scan the application using updated vulnerability scanners
• Review application logs for any signs of prior exploitation
• Monitor for unusual system activity or unauthorized access