How to remediate – Apache Struts 2.x < 2.3.34 / 2.5.x < 2.5.12 Remote Code Execut...

Contents

1. Introduction

Apache Struts 2.x < 2.3.34 / 2.5.x < 2.5.12 Remote Code Execution (S2-053) is a critical vulnerability allowing attackers to execute arbitrary code on affected systems. This occurs due to improper handling of expressions within Freemarker tags, leading to potential remote command execution. Systems using vulnerable versions of the Apache Struts framework are at risk. Successful exploitation can lead to complete compromise of confidentiality, integrity and availability.

2. Technical Explanation

The vulnerability stems from allowing unintentional expression evaluation within Freemarker tags instead of treating them as string literals. An attacker can inject malicious code into a request that is then executed by the server when processing the Freemarker tag. This requires an application using Apache Struts 2 and utilizing Freemarker templates with user-supplied input. The CVE identifier for this vulnerability is CVE-2017-12611.

Root cause: Unintentional expression evaluation in Freemarker tags instead of string literals.
Exploit mechanism: An attacker crafts a malicious request containing an exploitable Freemarker tag, which when processed by the server executes arbitrary code. For example, injecting a tag that calls system commands.
Scope: Apache Struts 2 versions 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 are affected.

3. Detection and Assessment

To confirm vulnerability, check the installed version of Apache Struts. Thorough assessment involves reviewing application code for use of Freemarker tags with user-supplied input.

Quick checks: Check the Struts version using the application’s WAR file manifest or by examining deployed libraries.
Scanning: Nessus plugin ID 100829 can detect vulnerable versions. This is an example only, and results should be verified manually.
Logs and evidence: Look for suspicious activity in application logs related to Freemarker tag processing, particularly errors or unexpected code execution.

jar -tf your_application.war | grep struts-core.jar

4. Solution / Remediation Steps

Apply the recommended patch or upgrade to a secure version of Apache Struts 2.

4.1 Preparation

Ensure you have a rollback plan in place, such as restoring from backup or reverting to the previous version of Struts. A change window may be required depending on your environment.

4.2 Implementation

Step 1: Upgrade Apache Struts to version 2.3.34 or later.
Step 2: Alternatively, upgrade to Apache Struts 2.5.12 or later.

4.3 Config or Code Example

Before

<s:freemarker tag="${userSuppliedInput}" />

After

<s:freemarker tag="'${userSuppliedInput}'" />

4.4 Security Practices Relevant to This Vulnerability

Practice 2: Employ the principle of least privilege, limiting the permissions granted to the web application service account to reduce the impact if an attacker gains control.

4.5 Automation (Optional)

# Example using Ansible to update Struts package on Debian/Ubuntu systems
- name: Update Apache Struts package
  apt:
    name: struts2-core
    state: latest
  become: true

`5. Verification / Validation`

Confirm the fix by verifying the updated Struts version and performing a negative test to ensure the vulnerability is no longer exploitable.

Post-fix check: Run `jar -tf your_application.war | grep struts-core.jar` and confirm the version number is 2.3.34 or higher, or 2.5.12 or higher.
Monitoring: Monitor application logs for any errors related to Freemarker tag processing or unexpected code execution.

jar -tf your_application.war | grep struts-core.jar

`6. Preventive Measures and Monitoring`

Baselines: Update security baselines to include the latest Struts version requirements.
Asset and patch process: Implement a regular patch management cycle for all software components, including Apache Struts.

`7. Risks, Side Effects, and Roll Back`

Risk or side effect 1: Upgrading Struts may introduce compatibility issues with existing application code; thorough testing is required.
Risk or side effect 2: Service downtime during the upgrade process.

`8. References and Resources`

Vendor advisory or bulletin: https://cwiki.apache.org/confluence/display/WW/S2-053
NVD or CVE entry: CVE-2017-12611
Product or platform documentation relevant to the fix: https://struts.apache.org/

Updated on October 26, 2025

`Was this article helpful?`

Yes No

 Related Articles
 How to remediate – 4553 Parasite Mothership Backdoor Detection
 How to remediate – 602LAN SUITE Open Telnet Proxy
 How to remediate – 7-Technologies / Schneider-Electric IGSS Data Collector Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS ODBC Service Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS ODBC Version Identifi…