Apache Struts Remote Code Execution Vulnerability via Forced OGNL Evaluation

A remote code execution vulnerability exists in Apache Struts versions 2.0.0 through 2.5.25. This issue arises from improper validation of user input in tag attributes, allowing for forced evaluation of Object-Graph Navigation Language (OGNL) expressions. When raw user input is evaluated, it can lead to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Apache Struts is running.

Reproduction

To reproduce this vulnerability, an application must be using an affected version of Apache Struts and apply forced OGNL evaluation in a way that allows user input to be double-evaluated. This can be done by crafting a request that includes unvalidated user input in a tag attribute, such as 'id', which will be processed as an OGNL expression. When the tag is rendered, the input will be evaluated again, potentially leading to code execution.

Remediation

Users are advised to upgrade to Apache Struts version 2.5.30 or later, which addresses this vulnerability by preventing unsafe double evaluation of OGNL expressions. For those unable to upgrade, the Struts Security Guide recommends not using forced OGNL evaluation on untrusted user input.