Threat Signal Report

Incomplete Fix for Apache Struts 2 Vulnerability (CVE-2021-31805) Amended

description-logo Description

FortiGuard Labs is aware that the Apache Software Foundation disclosed and released a fix for a potential remote code execution vulnerability (CVE-2021-31805 OGNL Injection vulnerability ) that affects Apache Struts 2 on April 12th, 2022. Apache has acknowledged in an advisory that the fix was issued because the first patch released in 2020 did not fully remediate the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on April 12th, 2022, warning users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible.


Why is this Significant?
This is significant because Apache Struts is widely used and successfully exploiting CVE-2021-31805 could result in an attacker gaining control of a vulnerable system. Because of the potential impact, CISA released an advisory urging users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible.

On the side note, an older Struts 2 OGNL Injection vulnerability (CVE-2017-5638) was exploited in the wild that resulted in a massive data breach of credit reporting agency Equifax in 2017.


What is Apache Struts 2?
Apache Struts 2 is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model-view-controller (MVC) architecture.


What is CVE-2021-31805?
CVE-2021-31805 is an OGNL injection vulnerability in Struts 2 that enables an attacker to perform remote code execution on a vulnerable system. The vulnerability was originally assigned CVE-2020-17530, however CVE-2021-31805 was newly assigned to the vulnerability as some security researchers found a workaround for the original patch released in 2020.


The vulnerability is described as "some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation."


What Versions of Apache Struts are Vulnerable to CVE-2021-31805?

Struts 2.0.0 - Struts 2.5.29 are vulnerable.

Struts 2.0.0 and 2.5.29 were released in 2006 and 2022 respectively.


Has the Vendor Released a Patch for CVE-2021-31805?
Yes, Apache released a fixed version (2.5.30) of Apache Struts 2 on April 12th, 2022.

Users and administrators are advised to upgrade to Struts 2.5.30 or greater as soon as possible.


Has the Vendor Released an Advisory?
Yes, Apache released an advisory on April 12th, 2022. See the Appendix for a link to "Security Bulletin: S2-062".


What is the Status of Coverage?
FortiGuard Labs provides the following IPS coverage for CVE-2020-17530, which applies for CVE-2021-31805:

Apache.Struts.OGNL.BeanMap.Remote.Code.Execution


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.