...
Excerpt |
---|
Remote Code Execution can be performed via |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating |
Important | |
Recommendation | Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20. |
---|
3 or Struts 2.3.28.1. | |
Affected Software | Struts 2. |
---|
3. |
20 - Struts Struts 2.3.28 (except 2.3.20. |
3 and 2.3.24. |
3) | |
Reporter | Nike Zheng nike dot zheng at dbappsecurity dot com dot cn |
---|---|
CVE Identifier | CVE-2016-3081 |
Problem
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
...
Disable Dynamic Method Invocation when possible , if not or upgrade to Apache Struts versions 2.3.20.23, 2.3.24.2 3 or 2.3.28.1.
Backward compatibility
No issues expected when upgrading to Struts 2.3.20.23, 2.3.24.2 3 and 2.3.28.1
Workaround
Disable Dynamic Method Invocation or implement your own version of ActionMapper
based on a source code of the recommended Apache Struts versions.