S2-062 Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)

Apr 15, 2022 GMT+08:00

I. Overview

Recently, Apache officially released a security notice, disclosing a remote code execution vulnerability (CVE-2021-31805) in some versions of Apache Struts2. The fix issued for CVE-2020-17530 (S2-061) was incomplete. Using forced OGNL evaluation on untrusted user input can lead to remote code execution.

Apache Struts2 is a lightweight MVC web application framework. If you are an Apache APISIX user, check your versions and implement timely security hardening.

Reference:

https://cwiki.apache.org/confluence/display/WW/S2-062

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Struts 2.0.0 - Struts 2.5.29

Secure versions:

Struts >= 2.5.30

IV. Vulnerability Handling

1. This vulnerability has been fixed in an official version. If your service version falls into the affected range, upgrade it to the secure version.

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.30

Huawei Cloud WAF can defend against this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.