A serious vulnerability in Apache Struts two years ago has reappeared, and the official patch has been released

News 2022-04-15 08:44:53 views: null

The Apache Software Foundation has issued a security bulletin S2-062 to address a remote code execution vulnerability in Struts versions 2.0.0 through 2.5.29 that could be exploited by an attacker to take control of an affected system. In response, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an announcement urging organizations to review  Apache's announcement and upgrade to the latest Struts 2 patch version as soon as possible

The vulnerability, tracked as CVE-2021-31805, is due to an incomplete fix for CVE-2020-17530 ( S2-061 ) in 2020 . That said, the vulnerability existed back in 2020 and was believed to be fixed at the time, but it turned out that the problem wasn't fully resolved.

In 2020, GitHub researchers Alvaro Munoz and Aeye Security Labs Masato Anzai reported an OGNL injection vulnerability in Struts 2 versions 2.0.0 - 2.5.25 under certain circumstances , numbered CVE-2020-17530, in Scored 9.8 out of 10 for CVSS severity.

"If the developer uses the %{...} syntax for forced OGNL evaluation, some attributes of the tag can still perform double evaluation. Using forced OGNL evaluation on untrusted user input may result in remote code execution and reduced security performance."

Object-Graph Navigation Language ( OGNL ) is an open source Java expression language that simplifies the scope of expressions in the Java language. It is integrated in Struts2 and other frameworks, and its role is to access data; it has functions such as type conversion, access object methods, and manipulation of collection objects.

Although Apache addressed the vulnerabilities reported in 2020 in Struts 2.5.26, researcher Chris McCown found that the fixes applied were incomplete. He reported to Apache that the "double evaluation" problem can still be reproduced in Struts versions 2.5.26 and later.

As a workaround, the Apache side recommends that developers avoid using mandatory OGNL evaluation in tag attributes based on untrusted user input , and/or upgrade to Struts 2.5.30 or later to check that expression evaluation does not result in double Evaluate. And it is recommended to follow security guidelines for best practices.

Guess you like

Origin www.oschina.net/news/191310/apache-struts-bug-new-patch
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com