Apache Struts Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Apache Struts versions 2.3 prior to 2.3.35 and 2.5 prior to 2.5.17. The issue arises when the 'alwaysSelectFullNamespace' option is enabled, either by the user or a plugin such as the Convention Plugin. Under these conditions, if results are processed without a specified namespace and the upper package lacks a namespace or uses a wildcard, the vulnerability can be exploited. This also applies when the 'url' tag is used without a value or action, while its upper package has no or a wildcard namespace.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable Struts application is running.

Reproduction

To reproduce this vulnerability, first ensure that the 'alwaysSelectFullNamespace' option is set to true. This can be done either manually or by using a plugin that modifies the namespace selection. Next, create an action that does not specify a namespace and is configured to redirect. This action should be set up in a package that either has no namespace or uses a wildcard. Once the action is prepared, the vulnerability can be exploited by sending a request that includes an OGNL payload designed to execute commands on the server.

Remediation

Upgrade to Apache Struts versions 2.3.35 or 2.5.17. NetApp products affected by this vulnerability should also be updated.