Apache Struts Dynamic Method Invocation command execution

2016-05-06T00:00:00
ID SAINT:C0B4D5468890CF90769399ACED5F1513
Type saint
Reporter SAINT Corporation
Modified 2016-05-06T00:00:00

Description

Added: 05/06/2016
CVE: CVE-2016-3081

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

The Dynamic Method Invocation feature allows the HTTP request to specify the name of the method to invoke.

Problem

A vulnerability in the Dynamic Method Invocation feature allows a remote attacker to execute arbitrary code by sending a specially crafted request containing a **method:** prefix.

Resolution

Upgrade to Apache Struts 2.3.20.3, 2.3.24.3, or 2.3.28.1 or higher, or disable Dynamic Method Invocation in the web application.

References

<https://struts.apache.org/docs/s2-032.html>

Limitations

Exploit works on vulnerable versions of Apache Struts between 2.3.20 and 2.3.28 on Linux operating systems, and requires Dynamic Method Invocation to be enabled.

Platforms

Linux