Struts2/Xwork remote command execution

Description
  • Struts2, Java web framework, is vulnerable to remote commands execution due to a vulnerability in XWork's ParametersInterceptor, which is enabled by default in Struts2 and WebWork applications. The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables.
Remediation
  • Upgrade to Struts version 2.2.
References