May 28, 2023

Apache has fixed a critical vulnerability in Struts that was previously believed to have been resolved but, wasn’t fully remedied.

Tracked as CVE-2021-31805, the critical vulnerability persistes in Struts 2 versions from 2.0.0 up to and including 2.5.29.

Struts is an open-source application development framework used by Java web developers for building model–view–controller apps.

Advertisements

The vulnerability results from an incomplete fix that was applied for CVE-2020-17530, also an OGNL Injection bug, and rated critical with a score of 9.8.

Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java that simplifies the range of expressions used in the Java language. OGNL also enables developers to work with arrays more easily. But, parsing OGNL expressions based on untrusted or raw user input can be a security issue.

Researchers had reported a “double evaluation” flaw in Struts2 versions 2.0.0 – 2.5.25, under certain circumstances in the year 2020.Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax, this could lead to a RCE”. states the advisory for CVE-2020-17530.

Though Apache had resolved the 2020 bug in Struts 2.5.26, the “double evaluation” problem could still be reproduced in Struts versions 2.5.26 and above, resulting in the assignment of CVE-2021-31805.

Users are advised to upgrade to Struts 2.5.30 or greater and to avoid using forced OGNL evaluation in the tag’s attributes based on untrusted user input.

Advertisements

DHS CISA is urging organizations to upgrade to Struts2 version 2.5.30 or higher which fixes a critical OGNL Injection vulnerability.

Equifax data breach has been happened due to an exploitation of CVE-2017-5638 which is relates to a OGNL Injection zero day

Leave a Reply

%d bloggers like this: