Home > Security Bulletins > S2-038

Summary

It is possible to bypass token validation and perform a CSRF attack

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible CSRF attack

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1

Reporter

Takeshi Terada websec02 dot g02 at gmail.com

CVE Identifier

CVE-2016-4430

Problem

It is possible to pass a malicious expression which can be used to bypass token validation and perform CSRF attack.

Solution

Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments.

Workaround

You can try to use more restrictive RegEx used to clean up action names as below:

<constant name="struts.allowed.action.names" value="[a-zA-Z]*" />

Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.