Apache Commons OGNL Improper Neutralization of Expression Delimiters Vulnerability Allowing Remote Code Execution

A vulnerability exists in Apache Commons OGNL in all versions, due to improper neutralization of expression and command delimiters. This issue arises when the Ognl.getValue API is used, as the OGNL engine can parse and evaluate expressions with significant power, including accessing and invoking methods. While OgnlRuntime tries to block certain dangerous classes and methods, such as those in java.lang.Runtime, these restrictions are not thorough. Attackers might exploit this gap by using class objects not covered by the blocklist to bypass restrictions and potentially execute arbitrary code. This vulnerability is particularly concerning because Apache Commons OGNL is a retired project, and no fix will be released. Users are advised to seek alternatives or limit access to trusted users.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where Apache Commons OGNL is used.

Remediation

As this project is retired, no official fix will be released. Users are recommended to find an alternative or restrict access to the instance to trusted users.