CVE-2019-0230 – CVE-2019-0230 is a remote code execution vulner... (How to Fix)

Q: What is the severity of CVE-2019-0230?

CVE-2019-0230 has a CVSS score of 9.8 (CRITICAL). CVE-2019-0230 is a remote code execution vulnerability in Apache Struts where forced double OGNL evaluation on raw user input in tag attributes allows attackers to execute arbitrary code. This affects Apache Struts versions 2.0.0 through 2.5.20. Organizations using vulnerable Struts versions in web applications are at risk.

📋 TL;DR

CVE-2019-0230 is a remote code execution vulnerability in Apache Struts where forced double OGNL evaluation on raw user input in tag attributes allows attackers to execute arbitrary code. This affects Apache Struts versions 2.0.0 through 2.5.20. Organizations using vulnerable Struts versions in web applications are at risk.

💻 Affected Systems

Products:

Apache Struts

Versions: 2.0.0 to 2.5.20

Operating Systems: All operating systems running Apache Struts

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using Struts tags with raw user input in attributes are vulnerable. SAP systems may also be affected as noted in SAP advisory.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal data, deploy malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web application compromise, data exfiltration, or deployment of web shells.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF rules, and input validation in place.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication on internet-facing applications.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit proofs-of-concept exist. Exploitation requires specific conditions with user input in tag attributes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Struts 2.5.22 or later

Vendor Advisory: https://cwiki.apache.org/confluence/display/ww/s2-059

Restart Required: Yes

Instructions:

1. Upgrade to Apache Struts 2.5.22 or later. 2. Update all Struts dependencies in your application. 3. Restart the application server. 4. Test application functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to sanitize user input before processing by Struts tags.

WAF Rule Implementation

all

Deploy Web Application Firewall rules to block OGNL expression patterns in requests.

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems from critical assets.
Deploy intrusion detection systems with rules for OGNL expression patterns and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check Struts version in application libraries (struts2-core-x.x.x.jar) or configuration files. Versions 2.0.0-2.5.20 are vulnerable.

Check Version:

find /path/to/app -name "struts2-core*.jar" -exec jar -tf {} \; | grep "META-INF/MANIFEST.MF" | xargs grep "Implementation-Version"

Verify Fix Applied:

Verify Struts version is 2.5.22 or later and test application functionality with security scanning tools.

📡 Detection & Monitoring

Log Indicators:

Unusual OGNL expressions in request parameters
Unexpected Java class loading in application logs
Errors related to expression evaluation

Network Indicators:

HTTP requests containing OGNL expression patterns like ${, #, @ in parameters

SIEM Query:

source="web_logs" AND ("${*" OR "#*" OR "@*" OR "ognl") AND status=200

📊 Metadata

CVE ID: CVE-2019-0230

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: September 14, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html Exploit,Third Party Advisory,VDB Entry
https://cwiki.apache.org/confluence/display/ww/s2-059 Vendor Advisory
https://launchpad.support.sap.com/#/notes/2982840 Permissions Required
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html Exploit,Third Party Advisory,VDB Entry
https://cwiki.apache.org/confluence/display/ww/s2-059 Vendor Advisory
https://launchpad.support.sap.com/#/notes/2982840 Permissions Required
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-0230, you might also want to check these: