In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
Apache Struts2 remote code execution vulnerability example analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.
Brief introduction of 0x01 vulnerability
On August 13, 2020, 360CERT Monitoring found that Apache officially issued a risk notice for the Struts2 remote code execution vulnerability, the vulnerability number is CVE-2019-0230, vulnerability level: high risk, vulnerability score: 8.5.
An attacker can construct a malicious OGNL expression and set it to be modified by external input and execute the attribute value of the Struts2 tag of the OGNL expression, causing OGNL expression parsing, resulting in the impact of remote code execution.
In this regard, 360CERT recommends that the majority of users upgrade Apache Struts2 in time to complete vulnerability repair. At the same time, please do a good job of asset self-examination and prevention to avoid hacker attacks.
0x02 risk rating
360CERT's assessment of the vulnerability is as follows
Assessment methods, threat levels, high risk impact areas, extensive 360CERT score 8.5,
0x03 vulnerability details
Apache Struts 2 is an open source web application architecture for developing Java EE web applications. It leverages and extends Java Servlet API to encourage developers to adopt the MVC architecture.
There are three limitations to this vulnerability:
The attribute value of the Struts2 tag executes an OGNL expression
The attribute value of the Struts2 tag can be modified by external input
The attribute value of the Struts2 tag has not been securely verified
Only when the above three conditions are met, an attacker can construct a malicious OGNL expression to affect the execution of remote commands.
0x04 affects version
Apache Struts2:2.0.0-2.5.20
0x05 repair recommendations General patching recommendations:
Upgrade to Struts 2.5.22 or later.
Or turn on ONGL expression injection protection
After reading the above, have you mastered the method of Apache Struts2 remote code execution vulnerability example analysis? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.