You are here

Apache Struts Vulnerabilities S2-028, S2-029, S2-030

S2-028, S2-029, S2-030, CVE-2016-4003, CVE-2016-0785, CVE-2016-2162
Struts2, OGNL

Three Apache Struts2 vulnerabilities have been found which may allow remote command execution and XSS [1].

  • S2-028 Possible XSS vulnerability in pages not using UTF-8 was fixed.
  • S2-029 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
  • S2-030 I18NInterceptor narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability.

Airlock WAF protects against known exploits of S2-028 and S2-030. Double OGNL evaluation (S2-029) can be prevented with a virtual patch on Airlock WAF by configuring a custom Deny Rule with the parameter value pattern:


Case-sensitive = OFF
Invert = OFF


If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.28 or higher [1]. If you can not update immediately as well as exclude the possibility of an exploitation we recommend to configure at least the described virtual patch until Struts2 is updated.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution