alert to Apache Struts2 high-risk remote code execution vulnerability

this vulnerability caused data leakage, the Equifax market value evaporated 5 billion, CIO and CISO took the blame and resigned. Luccitech ADC built-in global commercial WAF dynamic library can effectively prevent security incidents!

summary:Apache Struts 2 is one of the most popular Java web server frameworks in the world. Recently, however, Nike.zheng, a security researcher at Anheng Information, a domestic security company, found a high-risk security vulnerability (CVE-2016-3081,S02-32) on Struts 2. Apache Struts2 service can be remotely executed to execute arbitrary commands when dynamic method call (DMI) is turned on. This vulnerability widely affects all struts versions.

E Security Encyclopedia:

Struts 2 is the next generation of Struts. It is a new Struts 2 framework based on the technology of Struts 1 and WebWork. The architecture of its new Struts 2 is vastly different from that of Struts 1. Struts 2 takes WebWork as the core and uses the interceptor mechanism to handle the user's request. This design also makes the business logic controller completely separated from the ServletAPI, so Struts 2 can be understood as a WebWork update product. Although there are too many changes from Struts 1 to Struts 2, Struts 2 has changed very little relative to WebWork.

Anheng Information Security Researchers found a serious remote code execution vulnerability (CVE-2016-3081,S02-32) on Struts 2. At present, Apache officials have issued a notice that the risk level of the vulnerability is high. Apache has released the latest upgraded version to fix the vulnerability. Relevant website systems using this component should be upgraded in time.

vulnerability:

Struts 2.0.0 - Struts Struts 2.5.BETA3 (excluding fixed versions 2.3.20.2 and 2.3.24.2,2.3.28.1)

vulnerability repair recommendations:

1. Close dynamic method calls:

modify the Struts2 configuration file, set "struts.enable.DynamicMethodInvocation" to false, such

<constant name="struts.enable.DynamicMethodInvocation" value="false" />;

=“struts.enable.dynamicmethodinvocation”>

2. If conditions permit, you can upgrade Struts version to Struts 2.3.20.2, Struts 2.3.24.2 or Struts 2.3.28.1 to fix the vulnerability. You can go to this link to download:https://struts.apache.org/download.cgi#struts23281

source: Reprinted from NetEase Technology

links: http://3g.163.com/digi/article/BLL1O9GL00162OUT.html