Lucene search

K
saintSAINT CorporationSAINT:C0B4D5468890CF90769399ACED5F1513
HistoryMay 06, 2016 - 12:00 a.m.

Apache Struts Dynamic Method Invocation command execution

2016-05-0600:00:00
SAINT Corporation
www.saintcorporation.com
40
apache struts
dynamic method invocation
command execution
vulnerability
upgrade
linux
cve-2016-3081

EPSS

0.975

Percentile

100.0%

Added: 05/06/2016
CVE: CVE-2016-3081

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

The Dynamic Method Invocation feature allows the HTTP request to specify the name of the method to invoke.

Problem

A vulnerability in the Dynamic Method Invocation feature allows a remote attacker to execute arbitrary code by sending a specially crafted request containing a **method:** prefix.

Resolution

Upgrade to Apache Struts 2.3.20.3, 2.3.24.3, or 2.3.28.1 or higher, or disable Dynamic Method Invocation in the web application.

References

<https://struts.apache.org/docs/s2-032.html&gt;

Limitations

Exploit works on vulnerable versions of Apache Struts between 2.3.20 and 2.3.28 on Linux operating systems, and requires Dynamic Method Invocation to be enabled.

Platforms

Linux