Struts2/XWork remote command execution (S2-014)
Description
This vulnerability affects Apache Struts 2 versions prior to 2.3.14.2 and allows attackers to execute arbitrary commands on the server through OGNL (Object-Graph Navigation Language) injection. The flaw occurs when specially crafted request parameters are processed by URL or Anchor tags, enabling attackers to inject malicious OGNL expressions into the application stack. These expressions are then evaluated by the framework, leading to remote code execution. This issue was initially addressed in version 2.3.14.1 (S2-013), but the fix was incomplete and did not prevent all attack vectors.
Remediation
Immediately upgrade to Apache Struts 2.3.14.2 or later, which includes the corrected OGNL and XWork libraries that properly address this vulnerability. Follow these steps:
1. Update your project dependencies to use Struts 2.3.14.2 or the latest stable version
2. Update your pom.xml (Maven) or build.gradle (Gradle) to reference the new version
3. Thoroughly test your application after the upgrade to ensure compatibility
4. Review and validate all user input handling, especially in URL and Anchor tag parameters
5. Consider implementing a Web Application Firewall (WAF) with rules to detect OGNL injection attempts as an additional defense layer
If immediate upgrading is not possible, implement strict input validation and consider temporarily disabling dynamic method invocation by setting struts.enable.DynamicMethodInvocation to false in your struts.xml configuration, though this is only a temporary mitigation and not a complete fix.