Apache Struts 2 OGNL Script Injection

February 3, 2012

Apache Struts is a framework for building Java-based web applications. There are two major versions of the Struts framework, Struts, and Struts 2. The framework enables web application developers to separate business logic from user interfaces. In this architecture, a 'view' is a rendered model presented to the user. User input is passed to a controller, which requests a state change in the model and generates a new view.
In Struts, JSP scripts are commonly used to generate HTML pages. An XML file is used for mapping action names, such as login or search, to either JSP pages, or Java actions.
Actions are accessed via Request URIs in the following form:


The markup used in JSP pages can also include Object Graph Navigation Language (OGNL) statements in addition to HTML and XML. OGNL can be used as a replacement for simple Java expressions, such as the use of getters and setters. OGNL also supports the calling of Java methods, function definitions, and the construction of new Java objects. Struts 2 supports the notion of interceptors, which work by intercepting method invocation both prior and after method execution. In its default configuration, several interceptors are enabled for pre-processing input to actions. One such interceptor is invoked when query string values do not match their associated type in the relevant action. The interceptor is thus invoked when a function is called with value types that are not expected by the respective method.

A design error exists in Apache's Struts 2 framework. The HTTP request parameter value passed to the vulnerable interceptor is interpreted as an OGNL statement and evaluated. As such, a remote attacker can execute arbitrary OGNL expressions by sending an HTTP request to a vulnerable Struts 2 web application. Causing a type mismatch, the value, evaluated as an OGNL expression, can overwrite global Struts variables and effectively perform any action that the compiled Java code could perform.

SonicWALL has released several IPS signatures that will detect and block generic attack attempts targeting this vulnerability. The following signatures were released:

  • 7334 - Apache Struts 2 OGNL Script Injection 1
  • 7335 - Apache Struts 2 OGNL Script Injection 2
  • 7336 - Apache Struts 2 OGNL Script Injection 3

The vendor has released an advisory to address this issue.
The vulnerability has been assigned id CVE-2012-0391 by mitre.