Multiple critical vulnerabilities in Apache Struts2
Description
Apache Struts2 is a popular Java web application framework that uses the OpenSymphony XWork library and OGNL (Object Graph Navigation Language) for expression evaluation. A critical vulnerability exists in the default configuration where XWork's ParametersInterceptor processes HTTP parameter names as OGNL expressions without proper validation. This allows attackers to inject malicious OGNL statements through crafted HTTP requests, which are then parsed and executed by the application, leading to arbitrary Java code execution on the server.
Remediation
Immediately upgrade Apache Struts to version 2.3.1.2 or later, which includes fixes for this vulnerability. Follow these steps:
1. Download Apache Struts version 2.3.1.2 or the latest stable release from the official Apache Struts website
2. Review the release notes and migration guide for any breaking changes
3. Update all Struts2 JAR files in your application's classpath
4. Test the application thoroughly in a staging environment before deploying to production
5. If immediate patching is not possible, implement a web application firewall (WAF) rule to block requests containing suspicious OGNL expressions in parameter names
6. Monitor application logs for exploitation attempts, looking for unusual parameter patterns or OGNL syntax in HTTP requests
As a temporary mitigation, consider restricting the ParametersInterceptor to only accept expected parameter names by implementing a whitelist approach in your struts.xml configuration.