Apache Struts 2 Vulnerability
Hello. We use ELA MSP and on our Managed server, our weekly vulnerability scanner flagged it as having a critical vulnerability, and suggested the Apache Struts be updated to version 2.3.28 or higher. Is there a fix for this specific one (whether special patch or just an update that is needed)? The exact message is:
"Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE
Description
The remote web application appears to use Apache Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. A remote code execution vulnerability exists due to double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.
Note that this plugin only reports the first vulnerable instance of a Struts 2 application.
Solution
Upgrade to Apache Struts version 2.3.28 or later. Alternatively, apply the workaround referenced in the vendor advisory."
New to ADSelfService Plus?