Apache Struts 2 Dynamic Method Invocation (DMI) Input Validation Vulnerability

Last Update Date: 28 Apr 2016 09:36 Release Date: 28 Apr 2016 4085 Views

RISK: Extremely High Risk

Extremely High Risk

TYPE: Servers - Internet App Servers

TYPE: Internet App Servers

A vulnerability has been identified in Apache Struts 2, which could be exploited by remote attacker to execute arbitrary code on target server by passing a malicious expression when Dynamic Method Invocation (DMI) is enabled.

 

Note: From CNCERT/CC report, the exploit code was released, and attacks involving banking, insurance and telecommunication systems were known:
http://www.cert.org.cn/publish/main/9/2016/20160427071233907846865/20160427071233907846865_.html (Chinese version only)

Impact

  • Remote Code Execution

System / Technologies affected

  • Struts 2.3.20 - 2.3.28 (except 2.3.20.3 and 2.3.24.3)

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1.
  • You may also consider to disable Dynamic Method Invocation if you have confirmed that disabling it would not affect your application.

Vulnerability Identifier

Source

Related Link

Share with

Previous

Adobe Analytics AppMeasurement for Flash Library Cross-Site Scripting Vulnerability

25 Apr 2016 3005 Views

Next

PHP Multiple Vulnerabilities

29 Apr 2016 2755 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY