Apache Struts Dynamic Method Invocation command execution

Added: 05/06/2016
CVE: CVE-2016-3081

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

The Dynamic Method Invocation feature allows the HTTP request to specify the name of the method to invoke.

Problem

A vulnerability in the Dynamic Method Invocation feature allows a remote attacker to execute arbitrary code by sending a specially crafted request containing a method: prefix.

Resolution

Upgrade to Apache Struts 2.3.20.3, 2.3.24.3, or 2.3.28.1 or higher, or disable Dynamic Method Invocation in the web application.

References

https://struts.apache.org/docs/s2-032.html

Limitations

Exploit works on vulnerable versions of Apache Struts between 2.3.20 and 2.3.28 on Linux operating systems, and requires Dynamic Method Invocation to be enabled.

Platforms

Linux

Back to exploit index