Apache Struts 2 Remote Code Execution Vulnerability in ExceptionDelegator Component

A remote code execution vulnerability has been identified in Apache Struts 2 versions prior to 2.2.3.1. The issue arises in the ExceptionDelegator component, where parameter values are incorrectly processed as OGNL expressions during exception handling related to data type mismatches. This flaw allows remote attackers to execute arbitrary Java code by crafting specific parameter values.

Impact

Exploitation of this vulnerability allows for remote execution of arbitrary Java code on the server.

Reproduction

To reproduce this vulnerability, upload a Java class with a property of type Integer or Long, along with the appropriate getter and setter methods. Then, use a Struts action configured to handle validation. Input a crafted value that triggers a conversion error, such as a string representation of a number, into a field expected to be an integer. This will cause the framework to evaluate the input as an OGNL expression, executing the injected Java code.

Remediation

Users are advised to upgrade to Apache Struts 2.3.18 or later, which addresses this vulnerability. Additionally, applications should not be run in developer mode during production.