Apache Struts 2 Forced double OGNL evaluation S2-059
Description
The Apache Struts frameworks, when forced, performs double evaluation of attributes’ values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag’s attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE)
Recommendation
The ultimate fix is adding a proper validation of each value that’s coming in and it’s used in tag’s attributes. Don’t use forced evaluation of an attribute other than value using %{…} or ${…} syntax unless really needed for a valid use-case.
By upgrading to Struts 2.5.22, possible malicious effects of forced double evaluation are further limited and close the reported attack vector, especially when combined with Proactive OGNL Expression Injection Protection.
References
- S2-059 - Apache Struts 2 Wiki
- Apache Struts
- CVE-2019-0230
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
- CWE-20
- OWASP 2017-A9
- OWASP 2021-A6