The developers of the Apache Struts 2 Java web framework released version 126.96.36.199, which closes a critical hole in versions of Struts from 2.0.0 to 188.8.131.52 that allowed remote command execution.
The vulnerability allows an attacker to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation.
An example given in the advisory shows how an attacker could invoke the java.lang.Runtime.getRuntime().exec() method to run an arbitrary command if a vulnerable action existed. This is not the first time OGNL, an expression language used for getting and setting properties of Java objects, has been problematic; in 2008 and 2010, similar problems allowed for unauthorized manipulation and execution of Java classes.
Developers should update to Struts 184.108.40.206 which is available to download. Users will find details on how to update in the release notes. For installations that are unable to update, the advisory offers a configuration change which can mitigate the problem.
Earlier this month, Apache Struts developers released version 220.127.116.11 of their open source framework for Java-based web applications.
That update closed critical holes in Struts 2, fixing four old and well known security vulnerabilities an attacker could exploit to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code.