Apache has released the security bulletin (S2-061) to address a vulnerability in Apache Struts. A remote attacker could exploit the vulnerabilities by sending a specially crafted request to the affected systems.
A successful exploitation could lead to remote code execution on an affected system.
Administrators of the affected systems should upgrade the Apache Struts to current version 2.5.26 to address the issues. The update is available at:
This link will open in a new windowhttps://struts.apache.org/download.cgi
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risks, in particular those posed by forced double OGNL evaluation on untrusted user. Details are available at:
This link will open in a new windowhttps://cwiki.apache.org/confluence/display/WW/S2-061
This link will open in a new windowhttps://struts.apache.org/announce.html#a20201208
This link will open in a new windowhttps://cwiki.apache.org/confluence/display/WW/S2-061
This link will open in a new windowhttps://www.hkcert.org/my_url/en/alert/20120904
This link will open in a new windowhttps://us-cert.cisa.gov/ncas/current-activity/2020/12/08/apache-releases-security-update-apache-struts-2
This link will open in a new windowhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530
