You are here

Struts2/OGNL: Remote command execution

S2-014, S2-015, S2-016, CB-K13/0388, CB-K13/0484, CVE-2013-1966, CVE-2013-2135, CVE-2013-2135, CVE-2013-2115, CVE-2013-2251
Struts2, OGNL

Three Apache Struts2 vulnerabilities have been found which may allow remote command execution by injecting OGNL expressions.

The affected Struts2 versions are:

For vulnerability S2-014 [1] : 2.0.0 -
For vulnerability S2-015 [2] : 2.0.0 -
For vulnerability S2-016 [3] : 2.0.0 - 2.3.15

Airlock is not affected because Apache Struts2 is not installed/used in Airlock.


If you are using Apache Struts2 on a back-end system we strongly recommend to update Struts2 to version or higher. If you are not able to update Struts2 you can add the following deny rules on Airlock and activate the rules for all mappings connected to an affected back-end group (i.e where a vulnerable Struts2 version is active).

Deny Rule for Issue S2-014 and S2-015

Use the following regular expression for the parameter *value* deny rule to patch issue S2-014 and S2-015:

Rule nameApache Struts2 OGNL injection param value
Deny rule typeParameter Value
Regular expression name   Double evaluation (S2-014 / S2-015)

Screenshot of the deny rule in Airlock 4.2.6:
Struts2 deny rule to fix S02-014 and S02-015

Deny Rule for Issue S2-016

Use the following regular expression for the parameter *name* deny rule to patch issue S2-016:

Rule nameApache Struts2 OGNL injection param name
Deny rule typeParameter Name
Regular expression name   DefaultActionMapper sanitization (S2-016)

Screenshot of the deny rule in Airlock 4.2.6:Struts2 deny rule to fix issue S02-016

Airlock Vulnerability Status: 
No action required
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution