Understanding the Critical Apache Struts2 Remote Code Execution (CVE‑2019‑0230)

0x01 Vulnerability Overview

On August 13, 2020, 360CERT detected that Apache announced a remote command execution vulnerability in Struts2, identified as CVE‑2019‑0230, classified as High severity.

Attackers can craft malicious OGNL expressions and set them in Struts2 tag attributes that are modifiable via external input, causing OGNL parsing and ultimately remote code execution.

360CERT recommends users promptly upgrade Apache Struts2 to remediate the vulnerability and perform asset checks to prevent attacks.

0x02 Risk Rating

360CERT’s assessment is shown below:

0x03 Vulnerability Details

Apache Struts 2 is an open‑source web‑application framework for Java EE that extends the Servlet API and encourages MVC architecture.

The vulnerability has three conditions:

Struts2 tag attribute values can execute OGNL expressions.

Struts2 tag attribute values can be modified by external input.

Struts2 tag attribute values are not securely validated.

Only when all three conditions are met can an attacker inject a malicious OGNL expression to achieve remote command execution.

0x04 Affected Versions

Apache Struts2: 2.0.0‑2.5.20

0x05 Mitigation Recommendations

Upgrade to Struts 2.5.22 or later.

Or enable OGNL expression injection protection.

0x06 Timeline

2020‑08‑13 Apache Struts2 official security advisory released.

2020‑08‑13 360CERT published its advisory.

0x07 References

Apache Struts2 official security advisory: https://cwiki.apache.org/confluence/display/WW/S2-059