How to remediate – Apache Struts 2.x < 2.5.29 Remote Code Execution (S2-062)

Contents

1. Introduction

Apache Struts 2.x < 2.5.29 contains a Remote Code Execution (RCE) vulnerability, designated S2-062. This allows an attacker to execute arbitrary code on affected systems by exploiting a flaw in forced OGNL evaluation when processing user input. Systems running vulnerable versions of Apache Struts are at risk. Successful exploitation could lead to complete system compromise, impacting confidentiality, integrity and availability.

2. Technical Explanation

The vulnerability stems from an incomplete fix for CVE-2020-17530. Developers using the %{…} syntax to force OGNL evaluation on untrusted user input can trigger RCE if they are running a version of Struts between 2.0.0 and 2.5.29. An attacker could inject malicious code within the user-supplied data, which is then evaluated by the server during processing.

Root cause: Incomplete fix for CVE-2020-17530 allowing double evaluation of tag attributes with forced OGNL.
Exploit mechanism: An attacker provides crafted input containing malicious code within a %{…} expression, which is then executed by the Struts application. For example, an attacker could submit a request with a parameter like %{#context['com.opensymphony.xwork2.ActionContext'].getServletContext().getClass().forName("java.lang.Runtime").getRuntime().exec("whoami").
Scope: Apache Struts 2.0.0 to 2.5.29 are affected.

3. Detection and Assessment

Confirming vulnerability requires checking the installed Struts version. A thorough assessment involves reviewing application code for usage of forced OGNL evaluation with untrusted input.

Quick checks: Check the Struts version in your application’s WAR file manifest or dependency list.
Scanning: Static Application Security Testing (SAST) tools can identify vulnerable Struts versions and potentially detect usage of forced OGNL evaluation.
Logs and evidence: Look for suspicious activity in application logs related to OGNL expression processing, particularly if user input is involved.

jar tf your_application.war | grep struts-core.jar

4. Solution / Remediation Steps

The primary solution is to upgrade Apache Struts to version 2.5.30 or later, which includes the complete fix for S2-062.

4.1 Preparation

Ensure compatibility of upgraded Struts version with other application dependencies. A roll back plan involves restoring the previous backup.
A change window may be required depending on service criticality, requiring approval from relevant stakeholders.

4.2 Implementation

Step 1: Download the latest Apache Struts distribution (version 2.5.30 or later) from the official Apache website.
Step 2: Replace the existing Struts libraries in your application’s classpath with the new versions.
Step 3: Rebuild and redeploy your application.

4.3 Config or Code Example

Before

<s:textfield name="userInput" value="%{userProvidedValue}" />

After

<s:textfield name="userInput" value="%{userProvidedValue}" escape="true"/>

4.4 Security Practices Relevant to This Vulnerability

Least privilege: Run applications with the minimum necessary privileges to limit the impact of potential exploitation.

4.5 Automation (Optional)

# Example Ansible playbook snippet to update Struts version
- name: Update Struts library
  copy:
    src: /path/to/struts-core-2.5.30.jar
    dest: /opt/application/lib/struts-core.jar
  notify: Restart application server

`5. Verification / Validation`

Verify the fix by confirming the upgraded Struts version is running and that attempts to exploit the vulnerability are blocked.

Post-fix check: Check the Struts version in your application's WAR file manifest or dependency list, expecting 2.5.30 or later.
Re-test: Re-run the earlier detection method (checking the Struts version) to confirm it now shows a patched version.
Monitoring: Monitor application logs for any errors related to OGNL expression processing, which could indicate residual issues or new vulnerabilities.

jar tf your_application.war | grep struts-core.jar

`6. Preventive Measures and Monitoring`

Baselines: Update security baselines to require the latest patched versions of Apache Struts.
Pipelines: Integrate Static Application Security Testing (SAST) into your CI/CD pipeline to identify vulnerable dependencies like outdated Struts libraries.
Asset and patch process: Implement a regular patch management cycle for all application dependencies, including Apache Struts.

`7. Risks, Side Effects, and Roll Back`

Risk or side effect 2: Service downtime may be required during the upgrade process.
Roll back: Restore the previous backup of your application and its configuration to revert to the original state.

`8. References and Resources`

Vendor advisory or bulletin: https://cwiki.apache.org/confluence/display/WW/S2-062
NVD or CVE entry: CVE-2021-31805
Product or platform documentation relevant to the fix: https://struts.apache.org/

Updated on October 26, 2025

`Was this article helpful?`

Yes No

 Related Articles
 How to remediate – 4553 Parasite Mothership Backdoor Detection
 How to remediate – 602LAN SUITE Open Telnet Proxy
 How to remediate – 7-Technologies / Schneider-Electric IGSS Data Collector Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS ODBC Service Detection
 How to remediate – 7-Technologies / Schneider-Electric IGSS ODBC Version Identifi…