1. Introduction
The vulnerability is an Apache Struts 2 Demo Application Detected. This means a default, publicly accessible instance of the Apache Struts 2 framework demo application has been found on your network. It matters to businesses because it provides an easy entry point for attackers to exploit known and unknown vulnerabilities within the Struts framework. Affected systems are typically web servers hosting applications built with Apache Struts 2. This could lead to compromise of confidentiality, integrity, and availability depending on how the application is configured and used.
2. Technical Explanation
The technical root cause is the presence of a publicly accessible default demo application for Apache Struts 2. Attackers can exploit known vulnerabilities within the framework more easily when they have direct access to such an instance. The preconditions needed for exploitation are network connectivity to the exposed application and knowledge of existing Struts vulnerabilities. An attacker could, for example, use a remote code execution vulnerability in Struts to execute arbitrary commands on the server hosting the demo application. Affected versions include any publicly accessible default installations of the Apache Struts 2 demo application.
- Root cause: The scanner detected a default installation of the Apache Struts 2 demo application, which is not intended for production use and contains known vulnerabilities.
- Exploit mechanism: An attacker could leverage publicly available exploits targeting known vulnerabilities in the Struts framework to gain unauthorized access or execute code on the server.
- Scope: Any system hosting a publicly accessible Apache Struts 2 demo application.
3. Detection and Assessment
To confirm whether a system is vulnerable, first check for the presence of the default demo application. Then perform a thorough scan to identify any exploitable vulnerabilities within the Struts framework.
- Quick checks: Use a web browser to access
http://{target_ip}/struts2-showcase/. If the Apache Struts Showcase page loads, the application is present. - Scanning: Nessus vulnerability ID 168397 can detect this issue. OpenVAS also has relevant checks for Struts vulnerabilities. These are examples only and may require updates to be effective.
- Logs and evidence: Check web server access logs for requests to the `/struts2-showcase/` directory or related paths.
curl -I http://{target_ip}/struts2-showcase/4. Solution / Remediation Steps
To fix this issue, delete the demo application or restrict access using a .htaccess file. Only include steps that apply to this vulnerability.
4.1 Preparation
- Ensure you have appropriate permissions to modify web server configuration files. A rollback plan is to restore the backup or restart the web server.
- Change windows may be needed depending on your organization’s policies. Approval from a security team might be required.
4.2 Implementation
- Step 1: Delete the `/struts2-showcase/` directory and all its contents from the web server’s document root.
- Step 2: Alternatively, create or modify a `.htaccess` file in the webserver’s configuration directory to restrict access to the `/struts2-showcase/` directory to known IP addresses only.
4.3 Config or Code Example
Before
# No access restrictions on /struts2-showcase/ directoryAfter
<Directory "/var/www/html/struts2-showcase/">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Directory>4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.
- Practice 1: Secure configuration management to prevent deployment of default or test applications into production.
- Practice 2: Least privilege access control to limit the impact if an application is compromised.
4.5 Automation (Optional)
# Example Bash script to remove the directory
#!/bin/bash
rm -rf /var/www/html/struts2-showcase/ # WARNING: This command is destructive, ensure correct path!
echo "Struts 2 demo application removed."5. Verification / Validation
Confirm the fix by attempting to access the demo application again and verifying that it is no longer accessible. Perform a re-scan to confirm that the vulnerability is resolved.
- Post-fix check: Use a web browser to access
http://{target_ip}/struts2-showcase/. You should receive an error message (e.g., 403 Forbidden or 404 Not Found). - Re-test: Re-run the Nessus scan or OpenVAS check used earlier to confirm that the vulnerability is no longer detected.
- Smoke test: Verify that other web applications hosted on the server are still functioning correctly.
- Monitoring: Monitor web server access logs for any attempts to access the `/struts2-showcase/` directory, which should now be blocked or non-existent.
curl -I http://{target_ip}/struts2-showcase/6. Preventive Measures and Monitoring
Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.
- Baselines: Update security baselines or policies to prohibit the deployment of default demo applications into production environments.
- Pipelines: Add checks in CI/CD pipelines to scan for and prevent the inclusion of unnecessary or insecure components like test applications.
- Asset and patch process: Implement a regular review cycle for deployed assets to identify and remove unused or outdated applications.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Removing the directory may impact applications that unintentionally depend on it (unlikely, but possible).
- Risk or side effect 2: Incorrectly configured .htaccess rules could block legitimate traffic.
- Roll back: If using .htaccess, remove or comment out the added rules. If deleting the directory, restore from backup. Restart the web server service if necessary.
8. References and Resources
- Vendor advisory or bulletin: No specific vendor advisory exists for the demo application itself, but refer to Apache Struts security advisories for related vulnerabilities: https://cwiki.apache.org/confluence/display/WW/Security+Advisories
- NVD or CVE entry: No specific CVE exists for the demo application itself, but related Struts vulnerabilities are listed on NVD: Updated on October 26, 2025