cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

Recently a new Remote Code Execution vulnerability in Apache Struts was disclosed, this vulnerability is tracked by struts internal security advisory id of S2-059 as well as CVE identifier CVE-2019-0230.


As of the moment of publishing this blog, there are no public details available regarding how to exploit this specific vulnerability, but from the Struts security advisory, we can learn that the issue only affects Struts applications that meet certain conditions:


  1. The application is using OGNL evaluation syntax (${…} / %{…}) inside Struts tag attributes  
  2. The application is passing un-sanitized user input as the value of those Struts tag attributes

0151T000003pfuMQAQ.png

Figure 1: Example of vulnerable Apache Struts application page that meets the conditions mentioned above


When those two conditions are met, attackers may try to inject arbitrary OGNL expressions as the value of the vulnerable tag attributes which may lead in certain payloads to Remote Code Execution.

0151T000003pfuRQAQ.png

Figure 2: Example of injecting arbitrary OGNL expression to the vulnerable application showed above


Mitigating the vulnerability with BIG-IP Advanced WAF

When the vulnerability was first announced we have successfully reproduced it in our lab and verified that our customers already protected with existing signatures.


BIG-IP Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or

“Java Servlets/JSP” System.


0151T000003pfuWQAQ.png


Additional References

https://securitylab.github.com/research/apache-struts-double-evaluation

https://cwiki.apache.org/confluence/display/WW/S2-059


Version history
Last update:
‎17-Aug-2020 11:59
Updated by:
Contributors