How to remediate – Apache Struts 2.x < 2.5.26 Remote Code Execution (S2-061)

1. Introduction

Apache Struts 2.x < 2.5.26 contains a Remote Code Execution (RCE) vulnerability, identified as S2-061. This flaw allows attackers to execute arbitrary code on vulnerable servers by exploiting forced double OGNL evaluation when processing user input in tag attributes. Affected systems typically include web applications using the Apache Struts 2 framework. Successful exploitation can lead to complete system compromise, impacting confidentiality, integrity and availability of data and services.

2. Technical Explanation

The vulnerability arises from how Apache Struts 2 handles OGNL (Object-Graph Navigation Language) expressions within tag attributes. Versions prior to 2.5.26 improperly evaluate user-supplied input, allowing malicious code to be injected and executed. An attacker can craft a specially designed HTTP request containing a harmful OGNL expression that will be processed by the server when rendering a page with vulnerable tags.

• Root cause: Forced double OGNL evaluation on raw user input in tag attributes.
• Exploit mechanism: An attacker sends an HTTP request with a malicious payload within a Struts tag attribute, triggering code execution. For example, using the %{...} syntax to inject commands.
• Scope: Apache Struts 2 versions 2.0.0 through 2.5.26 are affected.

3. Detection and Assessment

To determine if a system is vulnerable, first check the installed version of Apache Struts 2. A thorough assessment involves reviewing application code for usage of potentially vulnerable tags.

• Quick checks: Check the Struts version in your web application’s WAR file or deployment directory. Look for files like struts.xml and examine their contents for tag configurations.
• Scanning: Nessus plugin ID 138690 can identify vulnerable versions of Apache Struts 2. Other vulnerability scanners may also offer detection capabilities, but results should be verified.
• Logs and evidence: Monitor application logs for errors related to OGNL evaluation or unusual activity within tag processing. Look for exceptions containing keywords like “OGNL” or “expression”.

java -jar struts-version-checker.jar <path_to_war_file>

4. Solution / Remediation Steps

The recommended solution is to upgrade Apache Struts 2 to version 2.5.26 or later, which includes a fix for this vulnerability.

4.1 Preparation

• Ensure compatibility of the new Struts version with other application components. A roll back plan involves restoring the previous backup in case of issues.
• A change window may be required depending on your organization’s policies and the criticality of the affected application. Approval from relevant stakeholders is recommended.

4.2 Implementation

1. Step 1: Download the latest version of Apache Struts 2 (2.5.26 or later) from the official Apache website (https://struts.apache.org/downloads.html).
2. Step 2: Replace the existing Struts JAR files in your web application’s classpath with the new versions. This typically involves updating libraries within your WAR file or deployment directory.
3. Step 3: Rebuild and redeploy your web application.

4.3 Config or Code Example

Before

<s:textfield name="userInput" label="User Input"/>

After

<s:textfield name="userInput" label="User Input" escapeHtml="true"/>  

4.4 Security Practices Relevant to This Vulnerability

• Least privilege: Run web applications with the minimum necessary privileges to limit the potential impact of successful exploits.

4.5 Automation (Optional)

Automation is not directly applicable for this vulnerability but can be useful for managing dependencies and ensuring consistent Struts versions across multiple deployments.

# Example using a dependency management tool like Maven:
<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.5.26</version>
</dependency>

5. Verification / Validation

• Post-fix check: Verify that the installed Struts version is 2.5.26 or later using the command from section 3.
• Re-test: Attempt to inject a malicious OGNL expression into a tag attribute and confirm that it does not execute. Monitor application logs for any errors related to OGNL evaluation.
• Monitoring: Implement log monitoring for suspicious activity within tag processing or OGNL evaluation.

java -jar struts-version-checker.jar <path_to_war_file>

6. Preventive Measures and Monitoring

Regularly update your security baselines to include the latest Struts versions and configuration recommendations. Implement static analysis tools in your CI/CD pipeline to detect potentially vulnerable code patterns.

• Baselines: Update your application’s security baseline or policy to require Apache Struts 2 version 2.5.26 or later.
• Pipelines: Integrate SAST (Static Application Security Testing) tools into your CI/CD pipeline to identify vulnerable code patterns, including improper OGNL evaluation.
• Asset and patch process: Establish a regular patch review cycle for all application components, including Apache Struts 2, to ensure timely security updates.

7. Risks, Side Effects, and Roll Back

Upgrading Struts may introduce compatibility issues with existing code or other dependencies. A roll back plan involves restoring the previous backup of your web application.

• Risk or side effect 2: Unexpected behavior changes due to new Struts features or bug fixes. Mitigation: Review release notes and documentation for any potential breaking changes.
• Roll back: Restore the previous backup of your web application and its configuration files. Redeploy the original version of the application.

8. References and Resources

• Vendor advisory or bulletin: https://cwiki.apache.org/confluence/display/WW/S2-061
• NVD or CVE entry: CVE-2020-17530
• Product or platform documentation relevant to the fix: Updated on October 26, 2025