Security News > 2022 > April > Apache says Struts 2 security bug wasn't fully fixed in 2020
Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications - because the first patch, issued in 2020, didn't fully do the trick.
The security flaw exists in Struts versions 2.0.0 to 2.5.29, and an attacker could exploit it to gain control of a vulnerable system.
Struts is widely used, and this new-old security flaw is similar to the OGNL injection bug that was abused in the massive Equifax breach in 2017.
Back in December 2020, bug hunters Alvaro Munoz of GitHub and Masato Anzai of Aeye Security Lab discovered an OGNL injection vulnerability in Struts 2, tracked as CVE-2020-17530, which received a 9.8 out of 10 in terms of CVSS severity.
"Using forced OGNL evaluation on untrusted user input can lead to a remote code execution and security degradation," Apache noted in its security bulletin, both in 2020 and now.
Apache advised developers to avoid using forced OGNL evaluation on untrusted user input and also to upgrade to Struts 2.5.26, which the software foundation said will check expression evaluation to ensure it won't lead to double trouble.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/04/13/apache_struts_bug_new_patch/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-12-11 | CVE-2020-17530 | Expression Language Injection vulnerability in multiple products Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 7.5 |