Talking about Apache Struts2 RCE(CVE-2020-17530)

Recently, the hot topic in the circle is the new loophole in Struts2(CVE-2020-17530), so let’s talk about it, and I hope it can be a good idea.

I Introduction
is the second-generation Java enterprise-level web application framework based on the Model-View-Controller (MVC) model . It has become a popular container software middleware at home and abroad for Java web applications.

On December 8, 2020, Apache Strust2 released the latest security bulletin that Apache has a high risk of remote code execution (CVE-2020-17530) . Since Struts2 will perform quadratic expression analysis on the attribute value of some label attributes (such as id, other attributes to be found), so when these label attributes use %{x} and the value of x When it is controllable, the user can pass in another %{payload} to cause the OGNL expression to execute. S2-061 is a bypass of S2-059 sandbox.

II Impact Version
Struts 2.0.0-2.5.25

III Harmfulness
8.0 (high risk)

IV Brief analysis of vulnerabilities
S2-061 and S2-059 have the same OGNL expression execution trigger method. The repair method of S2-059 is only to fix the sandbox bypass and not the OGNL expression execution point, because the expression execution trigger condition is too harsh, and S2 -061 bypassed the S2-059 sandbox again.

Diff the sandbox, you can see that many middleware packages have been added to the blacklist.


The known OGNL sandbox restrictions are:

1>Cannot new an object

2>Cannot call methods and attributes of blacklisted classes and packages

3>Cannot use reflection

4>Cannot call static method

5>In addition, the latest bans commonly used classes in ognl.OgnlRuntime#invokeMethod, which means that these classes cannot be called directly even if the sandbox is bypassed.