The Apache Software Foundation has patched two vulnerabilities in Apache Struts 2 that could result in remote code execution (RCE) or Denial of Service (DoS).
An attacker could exploit one of these vulnerabilities to take control of impacted systems.
According to Apache, the two vulnerabilities affect Struts versions 2.0.0 – 2.5.20 and are described in the advisory:
- CVE-2019-0230: Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
- CVE-2019-0233: Access permission override causing a Denial of Service when performing a file upload.
The good news is if you are running Struts version 2.5.22 (released in November 2019), you are not affected.
Apache further urged “developers building upon Struts 2 to not use %{…} syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities.”
Organizations and users are strongly encouraged to upgrade to version 2.5.22 if you have not already done so.