Security News > 2022 > April > Apache says Struts 2 security bug wasn't fully fixed in 2020

Apache says Struts 2 security bug wasn't fully fixed in 2020
2022-04-13 21:30

Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications - because the first patch, issued in 2020, didn't fully do the trick.

The security flaw exists in Struts versions 2.0.0 to 2.5.29, and an attacker could exploit it to gain control of a vulnerable system.

Struts is widely used, and this new-old security flaw is similar to the OGNL injection bug that was abused in the massive Equifax breach in 2017.

Back in December 2020, bug hunters Alvaro Munoz of GitHub and Masato Anzai of Aeye Security Lab discovered an OGNL injection vulnerability in Struts 2, tracked as CVE-2020-17530, which received a 9.8 out of 10 in terms of CVSS severity.

"Using forced OGNL evaluation on untrusted user input can lead to a remote code execution and security degradation," Apache noted in its security bulletin, both in 2020 and now.

Apache advised developers to avoid using forced OGNL evaluation on untrusted user input and also to upgrade to Struts 2.5.26, which the software foundation said will check expression evaluation to ensure it won't lead to double trouble.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/13/apache_struts_bug_new_patch/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-11 CVE-2020-17530 Expression Language Injection vulnerability in multiple products
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
network
low complexity
apache oracle CWE-917
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 549 713 367 1642