Mitigating Apache Struts Double OGNL Evaluation Vulnerability (S2-059 / CVE-2019-0230)
Recently a new Remote Code Execution vulnerability in Apache Struts was disclosed, this vulnerability is tracked by struts internal security advisory id of S2-059 as well as CVE identifier CVE-2019-0230.
As of the moment of publishing this blog, there are no public details available regarding how to exploit this specific vulnerability, but from the Struts security advisory, we can learn that the issue only affects Struts applications that meet certain conditions:
- The application is using OGNL evaluation syntax (${…} / %{…}) inside Struts tag attributes
- The application is passing un-sanitized user input as the value of those Struts tag attributes
Figure 1: Example of vulnerable Apache Struts application page that meets the conditions mentioned above
When those two conditions are met, attackers may try to inject arbitrary OGNL expressions as the value of the vulnerable tag attributes which may lead in certain payloads to Remote Code Execution.
Figure 2: Example of injecting arbitrary OGNL expression to the vulnerable application showed above
Mitigating the vulnerability with BIG-IP Advanced WAF
When the vulnerability was first announced we have successfully reproduced it in our lab and verified that our customers already protected with existing signatures.
BIG-IP Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or
“Java Servlets/JSP” System.
Additional References
https://securitylab.github.com/research/apache-struts-double-evaluation
https://cwiki.apache.org/confluence/display/WW/S2-059