Apache Struts Dynamic Method Invocation command execution

2016-05-0600:00:00

SAINT Corporation

download.saintcorporation.com

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

JSON

Added: 05/06/2016
CVE: CVE-2016-3081

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

The Dynamic Method Invocation feature allows the HTTP request to specify the name of the method to invoke.

Problem

A vulnerability in the Dynamic Method Invocation feature allows a remote attacker to execute arbitrary code by sending a specially crafted request containing a **method:** prefix.

Resolution

Upgrade to Apache Struts 2.3.20.3, 2.3.24.3, or 2.3.28.1 or higher, or disable Dynamic Method Invocation in the web application.

References

<https://struts.apache.org/docs/s2-032.html>

Limitations

Exploit works on vulnerable versions of Apache Struts between 2.3.20 and 2.3.28 on Linux operating systems, and requires Dynamic Method Invocation to be enabled.