Published on: 09 December 2020
Apache has released the security bulletin (S2-061) to address a vulnerability in Apache Struts. A remote attacker could exploit the vulnerabilities by sending a specially crafted request to the affected systems.
A successful exploitation could lead to remote code execution on an affected system.
Administrators of the affected systems should upgrade the Apache Struts to current version 2.5.26 to address the issues. The update is available at:
https://struts.apache.org/download.cgi
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risks, in particular those posed by forced double OGNL evaluation on untrusted user. Details are available at:
https://cwiki.apache.org/confluence/display/WW/S2-061
https://struts.apache.org/announce.html#a20201208
https://cwiki.apache.org/confluence/display/WW/S2-061
https://www.hkcert.org/my_url/en/alert/20120904
https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/apache-releases-security-update-apache-struts-2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17530