PROBLEM:
A vulnerability was reported in Apache Struts. A remote user can execute arbitrary commands on the target system.
PLATFORM:
Apache Struts 2.x
ABSTRACT:
Apache Struts Conversion Error OGNL Expression Injection Vulnerability.
reference LINKS:
Apache Struts 2.2.3.1 distribution
Secunia Advisory: SA47176
Vulnerability Report: Apache Struts 2.x
SecurityTracker Alert ID: 1026402
CNET Forums
IMPACT ASSESSMENT:
High
Discussion:
When a conversion error occurs, user-supplied input is evaluated as an OGNL expression. A remote user can send specially crafted data to execute arbitrary OGNL commands on the target system.
Impact:
The vulnerability is caused due to an input sanitisation error, which can be exploited to to inject and execute OGNL expressions if a conversion error is encountered.The vulnerability is reported in versions 2.0.0 through 2.2.3.
Solution:
The vendor has issued a fix.Update to version 2.2.3.1. Apache Downloads and Support