I. Overview

Apache Struts officially released security bulletin (S2-061) that disclosed a remote code execution vulnerability (CVE-2020-17530). In specific conditions, attackers can construct malicious OGNL expressions to execute any code.

If you are an Apache Struts 2 user, check your system and implement timely security hardening.

References:

https://cwiki.apache.org/confluence/display/WW/S2-061

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Struts 2.0.0–2.5.25

Secure versions:

Apache Struts 2.5.26 and later versions

IV. Vulnerability Handling

This vulnerability has been fixed in newly released versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://struts.apache.org/download.cgi

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.