How to talk about Apache Struts2 RCE loophole CVE-2020-17530 01/22 Update SLTechnology News&Howtos

How to talk about Apache Struts2 RCE loophole CVE-2020-17530

2025-01-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to talk about Apache Struts2 RCE vulnerability CVE-2020-17530, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

I Introduction

Struts2 is the second generation of Java enterprise web application framework based on Model-View-Controller (MVC) model, and it has become a popular container software middleware for Java Web applications at home and abroad.

December 08, 2020, Apache Strust2 issued the latest security bulletin, Apache Struts2 has a high risk of remote code execution omission (CVE-2020-17530). Since Struts2 parses the values of some tag attributes (such as `id` and other attributes to be found) twice, when the value of `x` is controllable, the user passes in another `% {payload}` to cause the OGNL expression to execute. S2-061 is a bypass of S2-059 sandboxie.

II Impact Version

Struts 2.0.0-2.5.25

III Harmfulness

8.0 (High risk)

IV Brief analysis of vulnerabilities

The OGNL expression of S2-061 is triggered in the same way as S2-059. S2-059 fixes only sandboxie bypass and not OGNL expression execution point, because the trigger condition of this expression execution is too harsh, and S2-061 again bypasses sandboxie of S2-059.

Diff sandboxie, you can see that a lot of middleware packages have been added to the blacklist.

The known OGNL sandboxie is limited to:

1 > cannot new an object

2 > cannot call the methods and properties of blacklisted classes and packages

3 > cannot use reflection

4 > unable to call static method

5 > in addition, the latest struts2 ban dropped the commonly used class in ognl.OgnlRuntime#invokeMethod, which means that even if sandboxie is bypassed, these classes cannot be called directly.

V Vulnerability recurrence

Self-edited EXP:

VI Fix Vulnerability

1 > Struts2 is upgraded to above 2.5.26.

The above is how to talk about the Apache Struts2 RCE vulnerability CVE-2020-17530, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.