Published on: 14 August 2020
Apache has released the security bulletins (S2-059, S2-060) to address the vulnerabilities in Apache Struts. A remote attacker could exploit the vulnerabilities by sending a specially crafted request to the affected systems.
Depending on the vulnerability exploited, a successful exploitation could lead to arbitrary code execution or denial of service on an affected system.
Administrators of the affected systems should upgrade the Apache Struts to current version 2.5.22 to address the issues. The update is available at:
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risks, in particular those posed by forced double OGNL evaluation. Details are available at:
https://struts.apache.org/announce.html#a20200813
https://cwiki.apache.org/confluence/display/WW/S2-059
https://cwiki.apache.org/confluence/display/WW/S2-060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0233