Fork me on GitHub
Edit on GitHub

Announcements 2020

Skip to: Announcements - 2019

08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530

The Apache Struts Security team would like to announce that forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Problem

Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Solution

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression evaluation won’t lead to the double evaluation.

Please read our Security Bulletin S2-061 for more details.

This vulnerability was identified by:

All developers are strongly advised to perform this action.

06 December 2020 - Struts 2.5.26 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a “General Availability” release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Below is a full list of all changes:

Please read the Version Notes to find more details about performed bug fixes and improvements.

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

28 September 2020 - Struts 2.5.25 General Availability

The Apache Struts group is pleased to announce that Struts 2.5.25 is available as a “General Availability” release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Below is a full list of all changes:

Please read the Version Notes to find more details about performed bug fixes and improvements.

All developers are strongly advised to perform this action.

The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.

You can download this version from our download page.

13 August 2020 - Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

Two new Struts Security Bulletins have been issued for Struts 2 by the Apache Struts Security Team:

Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. The current version 2.5.22, which was released in November 2019, is not affected.

CVE-2019-0230 has been reported by Matthias Kaiser, Apple Information Security. By design, Struts 2 allows developers to utilize forced double evaluation for certain tag attributes. When used with unvalidated, user modifiable input, malicious OGNL expressions may be injected. In an ongoing effort, the Struts framework includes mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack vector open which is addressed by this report. However, we continue to urge developers building upon Struts 2 to not use %{...} or ${...} syntax referencing unvalidated user modifiable input in tag attributes , since this is the ultimate fix for this class of vulnerabilities.

CVE-2019-0233 has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc. In Struts before 2.5.22, when a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file or even the container temporary upload directory may be set to read-only access. As a result, subsequent actions on the file or file uploads in general will fail with an error.

Both issues are already fixed in Apache Struts 2.5.22, which was released in November 2019.

We strongly recommend all users to upgrade to Struts 2.5.22, if this has not been done already.

The Apache Struts Security Team would like to thank the reporters for their efforts and their practice of responsible disclosure, as well as their help while investigating the report and coordinating public disclosure.

Skip to: Announcements - 2019

Next: Kickstart FAQ