Apache patches Struts 2 RCE vulnerability (CVE-2021-31805)

The Apache Software Foundation has patched a Struts 2 vulnerability CVE-2021-31805 that may lead to remote code execution.

A cyber attacker could exploit this vulnerability to steal sensitive information.

Apache described the problem as related to Forced OGNL evaluation and requires a fix to a previously released patch for Struts 2:

“The fix issued for CVE-2020-17530 (S2-061) was incomplete. Still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”

Apache Software Foundation

As noted in the Apache advisory S2-062, administrators should upgrade to Struts  2.5.30 version and/or avoid using forced OGNL evaluation on untrusted user input.

Affected versions include Struts 2.0.0 – Struts 2.5.29.

On a related note, Microsoft also released the April 2022 Security Updates that includes patches for 117 vulnerabilities, 10 of them rated Critical.

Related Articles