You are here

Apache Struts2 Vulnerabilities S2-031, S2-032

IDs: 
S2-031, S2-032, CVE-2016-3081, CVE-2016-3082
Keywords: 
Struts2
Description: 

Two Apache Struts2 vulnerabilities have been found which may allow remote code execution [1,2].

  • S2-031 Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled [1]
  • S2-032 XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code [2]

Affected versions:

  • S2-031: Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
  • S2-032: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
Resolution: 

If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.28.1 or higher.

Alternatively, S2-032 can be prevented by disabling Dynamic Method Invocation or by configuring a custom Deny Rule on Airlock WAF with the parameter value pattern:

method:

Case-sensitive = OFF
Invert = OFF

S2-031 can be prevented by implementing your own XSLTResult based on code of the versions Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution