Versions Compared

Old Version 1

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution

Maximum security rating

HighImportant

Recommendation

Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Upgrade to Struts 2.3.28.129.

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3).1

Reporter

Chao Jack PKAV_香草 jc1990999 at yahoo dot com

Shinsaku Nomura nomura at bitforest dot jp

Reporter

Alvaro Munoz alvaro dot munoz at hpe dot com

CVE Identifier

CVE-2016-30874438

Problem

It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin.

Solution

Disable Dynamic Method Invocation when possible or upgrade Upgrade to Apache Struts versions version 2.3.20.3, 2.3.24.3 or 2.3.28.129.

Backward compatibility

No Some backward incompatibility issues are expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1

Workaround

29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.

Workaround

Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspectsDisable Dynamic Method Invocation or implement your own version of RestActionMapper.