JVN#43969166
Apache Struts 2 vulnerable to remote code execution (S2-061)
Overview
Apache Struts 2 contains a remote code execution vulnerability.
Products Affected
- Apache Struts 2.0.0 to 2.5.25
Description
Apache Struts 2 provided by The Apache Software Foundation contains a remote code execution vulnerability due to improper input validation (CWE-20).
Impact
A remote attacker may execute arbitrary code.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Apply the workaround
Do not use forced OGNL evaluation in the tag's attributes based on untrusted/unvalidated user input.
The developer reccomends the users to follow the recommendations from the Security Guide.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| DENSO Corporation | Vulnerability Information Provided | 2020/12/11 | |
| FANUC CORPORATION | Vulnerability Information Provided | 2020/12/11 | |
| FUJITSU CONNECTED TECHNOLOGIES LIMITED | Vulnerability Information Provided | 2020/12/11 | |
| FUJITSU LIMITED | Not Vulnerable | 2020/12/11 | |
| Hitachi | Vulnerability Information Provided | 2020/12/11 | |
| INTEC Inc. | Vulnerability Information Provided | 2020/12/11 | |
| JVCKENWOOD Corporation | Vulnerability Information Provided | 2020/12/11 | |
| NEC Corporation | Vulnerable | 2022/04/15 | |
| NTT DATA Corporation | Not Vulnerable, investigating | 2020/12/11 | |
| Phone Appli Inc. | Vulnerability Information Provided | 2020/12/11 | |
| Rakuten, Inc | Vulnerability Information Provided | 2020/12/11 | |
| RICOH COMPANY, LTD. | Vulnerability Information Provided | 2020/12/11 | |
| Smart Solution Technology, Inc. | Not Vulnerable, investigating | 2020/12/11 | |
| Sony Corporation | Vulnerability Information Provided | 2020/12/11 | |
| Symantec Japan, Inc. | Vulnerability Information Provided | 2020/12/11 | |
| TDK Corporation | Not Vulnerable | 2020/12/11 | |
| Toshiba Corporation | Vulnerability Information Provided | 2020/12/11 | |
| WAM!NET Japan K.K. | Not Vulnerable | 2020/12/11 |
| Vendor | Link |
| The Apache Software Foundation | 08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530 |
| S2-061 - Apache Struts 2 Wiki - Apache Software Foundation |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Masato Anzai of Aeye Security Lab, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-17530 |
| JVN iPedia |
JVNDB-2020-000084 |
Update History
- 2022/04/18
- NEC Corporation update status