Summary
Remote Code Execution can be performed when using REST Plugin with! operator when Dynamic Method Invocation is enabled.Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | Important |
Recommendation | Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1. |
Affected Software | Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) |
Reporter | Alvaro Munoz alvaro dot munoz at hpe dot com |
CVE Identifier | CVE-2016-3087 |
Problem
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin.
Solution
Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1.
Backward compatibility
No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1
Workaround
Disable Dynamic Method Invocation or implement your own version of RestActionMapper.