1. Introduction
Apache Struts 2 OGNL Console Detected is a vulnerability where an Apache Struts 2 application is running with development mode enabled, exposing a console that can leak sensitive information about the underlying system and potentially lead to further compromise. This affects web applications using the Struts framework and could allow attackers to gather details about the Java environment and installed components. Confidentiality, integrity, and availability may be impacted if an attacker gains access to this information.
2. Technical Explanation
The vulnerability occurs when Apache Struts 2 is configured in development mode. This mode provides debugging features but also exposes an OGNL console accessible via HTTP. Attackers can use this console to execute arbitrary code and retrieve system details. The primary risk is information disclosure, which could be used for further attacks.
- Root cause: Struts 2 development mode is enabled in a production environment.
- Exploit mechanism: An attacker accesses the exposed OGNL console via HTTP and executes commands to retrieve system information or potentially execute code.
- Scope: Apache Struts 2 applications running with development mode enabled.
3. Detection and Assessment
To confirm if a system is vulnerable, check for the presence of the OGNL console in the application’s web interface. A thorough assessment involves examining the Struts configuration files.
- Quick checks: Access the application URL followed by `/ognl/console`. If accessible, it indicates development mode is enabled.
- Scanning: Nessus plugin ID 138457 can detect this vulnerability.
- Logs and evidence: Check web server logs for requests to `/ognl/console`.
curl -I http://{target_url}/ognl/console4. Solution / Remediation Steps
The solution is to disable Apache Struts 2 development mode in production environments.
4.1 Preparation
- Ensure you have appropriate permissions to modify the Struts configuration. Change windows should be scheduled during low-traffic periods and approved by security teams.
4.2 Implementation
- Step 1: Edit the `struts.xml` file.
- Step 2: Locate the `
` entry. - Step 3: Change the value of `struts.devMode` from `true` to `false`.
- Step 4: Save the changes and restart the application service.
4.3 Config or Code Example
Before
<constant name="struts.devMode" value="true"/>After
<constant name="struts.devMode" value="false"/>4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this vulnerability.
- Secure configuration: Ensure Struts applications are configured with secure defaults, disabling development mode in production.
- Least privilege: Limit access to sensitive resources and configurations.
4.5 Automation (Optional)
Automation is not directly applicable for this specific vulnerability due to the need to modify configuration files. However, infrastructure-as-code tools can be used to enforce secure Struts configurations.
5. Verification / Validation
- Post-fix check: Access `http://{target_url}/ognl/console`. A 404 or other error should be returned, indicating the console is no longer accessible.
- Re-test: Re-run the curl command from the detection section to confirm the console is inaccessible.
- Smoke test: Verify core application functionality (e.g., login, data submission) remains operational.
- Monitoring: Monitor web server logs for any unexpected access attempts to `/ognl/console`.
curl -I http://{target_url}/ognl/console6. Preventive Measures and Monitoring
Regular security audits and configuration reviews can help prevent this vulnerability.
- Baselines: Implement a security baseline that requires disabling development mode in production Struts applications.
- Pipelines: Integrate static code analysis into the CI/CD pipeline to identify insecure configurations.
- Asset and patch process: Regularly review application configurations for compliance with security standards.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Restarting the application service may cause temporary downtime.
- Roll back: Restore the original `struts.xml` file and restart the application service if any issues occur.
8. References and Resources
Links to official advisories and documentation.
- Vendor advisory or bulletin: https://struts.apache.org/core-developers/development-mode.html
- NVD or CVE entry: Not applicable as this is a configuration issue, not a specific vulnerability with a CVE.
- Product or platform documentation relevant to the fix: https://struts.apache.org/security/#disable-devmode