If you haven’t already you might want to quickly update your Apache Struts 2 to version 2.5.22 given recent information has surfaced about potential Remote Code Execution (RCE) and denial-of service bugs (CVE-2019-0230 and CVE-2019-0233). Experts are especially calling attention to the RCE vulnerability—PoCs are showing up on GitHub—which would allow attackers to achieve remote code execution.
CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts attempts to conduct an evaluation of raw user input inside of tag attributes. Attackers could take advantage of this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression.
It’s also important to recognize that as far as exploitation goes, because Apache Struts is a framework, it may very well depend on how Apache Struts is used within an application, and if and how the product exposes the vulnerability. For example, if a product passes on user input (like through HTTP request parameters) to the vulnerable tag attributes. Apache recommends generally not to do that, but it again, it depends on the use-case scenario of solutions using Apache Struts (which Apache also acknowledges in their “Recommendation”).
Secunia rates this vulnerability as “Highly Critical” with a CVSSv3 base score of 9.8. However, as mentioned, depending on how any product uses Apache Struts, this flaw may or may not be exposed or fully exposed. Net, product context can alter the ratings a bit, up to potentially making the vulnerability a non-issue.
For more information, reference CVE-2019-0230, CVE-2019-0233, and the Secunia Advisory ID SA97152.
