Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
There exists a critical vulnerability in Apache Struts2. Remote attackers could execute arbitrary code on Struct 2 with Dynamic Method Invocation enabled by referencing malicious expressions via REST plugin. The vulnerability is referenced as CVE-2016-3087 and named S2-033.
Researchers from DBAPPSecurity disclosed the fix for Struts2 S2-033 released by Apache is not complete. Remote attackers can still execute arbitrary code on Struts2 with the fix applied.
Struts 2.3.20 - Struts 2.3.28 (excluding 126.96.36.199 and 188.8.131.52
Struts 184.108.40.206, 220.127.116.11 or 18.104.22.168
Disable Dynamic Method Invocation
In struts.xml, change <constant name=”struts.enable.DynamicMethodInvocation” value=”true” /> to <constant name=”struts.enable.DynamicMethodInvocation” value=”false”/>. If the above item does not exist, no modification is needed. Or update to Struts2 2.5.
For more information about how to detect the vulnerability on your website, please contact DBAPPSecurity at email@example.com