I. Overview

It has been disclosed recently that the S2-059 Struts2 remote code execution vulnerability (CVE-2019-0230) exists in Apache Struts. The Apache Struts framework that uses OGNL expression language in default, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id. With a carefully crafted request, an attacker can inject malicious code using OGNL expressions, triggering Remote Code Execution (RCE).

If you are an Apache Struts user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://cwiki.apache.org/confluence/display/WW/S2-059?spm=a2c4g.11174386.n2.3.40ac1051vjfTnI

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Struts 2.0.0 to 2.5.20

Secure versions:

Apache Struts 2.5.22 and later

IV. Vulnerability Handling

This vulnerability has been fixed in the later official versions. If your version falls into the affected range, upgrade it to a secure version.

For details about secure versions, visit the following website: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22

The Web Application Firewall (WAF) service, provided by HUAWEI CLOUD, can defend against attacks exploiting this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.