A remote code execution vulnerability exists in Apache Struts2 when alwaysSelectFullNamespace is true and the action element lacks a namespace or uses wildcards. In such cases, the namespace is derived from user-supplied URI and evaluated as an OGNL expression, leading to arbitrary command execution. Affected versions: Struts 2.3.34 and earlier, and Struts 2.5.16 and earlier. The vulnerability can be reproduced by sending a crafted request with an OGNL expression in the namespace, which is executed and reflected in the response headers.
When the Struts2 configuration meets the following conditions:
alwaysSelectFullNamespace is set to true
The action element has no namespace attribute, or uses a wildcard
The namespace will be passed in by the user via the URI and evaluated as an OGNL expression, ultimately leading to an arbitrary command execution vulnerability.
Affected versions: Struts 2.3.34 and below, and Struts 2.5.16 and below
S2-057 Remote Code Execution Vulnerability (CVE-2018-11776)
When the Struts2 configuration meets the following conditions:
The namespace will be passed in by the user via the URI and evaluated as an OGNL expression, ultimately leading to an arbitrary command execution vulnerability.
Affected versions: Struts 2.3.34 and below, and Struts 2.5.16 and below
Vulnerability Details:
Vulnerability Environment
Start a Struts 2.3.34 environment that meets the conditions:
Once the environment is running, visit http://your-ip:8080/showcase/ and you will see the Struts2 test page.
Vulnerability Reproduction
Test the OGNL expression ${233*233}:
As can be seen, the result of 233*233 has been returned in the Location header.
Use the arbitrary command execution OGNL expression provided in S2-057 Principle Analysis and Reproduction Process (POC):
As can be seen, the id command has been executed successfully: