Apache Struts Dynamic Method Invocation Remote Code Execution

June 3, 2016

A remote, unauthenticated vulnerability exists in Apache Struts. The vulnerability allows an attacker to execute arbitrary code on the server with the privileges of the user running the Java Web Container process (e.g. JBoss, Tomcat etc). CVE-2016-3081 is assigned to this vulnerability.

Apache Struts is a MVC (model-view-controller) franework for building Java applications. It uses Java Servlet APIs to expose ActionServlet controller. Any requests coming from a client are sent to the controller in the form of 'actions'. These actions are outlined as a map in a configuration file. Accordingly, the corresponding method is invoked. An interface called ActionMapper is used to provide mapping between the request and the corresponding action. The default implemtation maps to DefaultActionMapper class.

A remote code exection vulnerability exists in Apache Struts 2 framework due to lack of proper santization inside the constructor of DefaultActionMapper. It fails to properly validate the values provided by the attacker. This allows a remote attacker to craft a malicious request to cause the vulnerable server to execute arbitrary code.

The following verions of Apache Struts are vulnerable:

  • Apache Struts 2

Dell Sonicwall team has written the following signature that helps protect our customers from this attack:

  • 11631:Apache Struts Dynamic Method Invocation Remote Code Execution 1
  • 11632:Apache Struts Dynamic Method Invocation Remote Code Execution 2