CVE-2021-31805 – This vulnerability in Apache Struts allows remo... (How to Fix)

Q: What is the severity of CVE-2021-31805?

CVE-2021-31805 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache Struts allows remote code execution when developers use forced OGNL evaluation (%{...} syntax) on untrusted user input. Attackers can exploit this to execute arbitrary code on affected servers. All Apache Struts installations from version 2.0.0 through 2.5.29 are vulnerable if they use forced OGNL evaluation.

📋 TL;DR

This vulnerability in Apache Struts allows remote code execution when developers use forced OGNL evaluation (%{...} syntax) on untrusted user input. Attackers can exploit this to execute arbitrary code on affected servers. All Apache Struts installations from version 2.0.0 through 2.5.29 are vulnerable if they use forced OGNL evaluation.

💻 Affected Systems

Products:

Apache Struts

Versions: 2.0.0 to 2.5.29

Operating Systems: All operating systems running Apache Struts

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when developers use forced OGNL evaluation (%{...} syntax) on untrusted user input. Applications not using this feature are not affected.

📦 What is this software?

Struts by Apache

View all CVEs affecting Struts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web application compromise, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper input validation and security controls, potentially reduced to denial of service or information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward for attackers who can identify applications using forced OGNL evaluation. Multiple proof-of-concept exploits are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Struts 2.5.30 or later

Vendor Advisory: https://cwiki.apache.org/confluence/display/WW/S2-062

Restart Required: Yes

Instructions:

1. Download Apache Struts 2.5.30 or later from the official Apache website. 2. Replace your current Struts installation with the patched version. 3. Restart your application server. 4. Test your application functionality.

🔧 Temporary Workarounds

Disable forced OGNL evaluation

all

Remove or disable the use of %{...} syntax in Struts tags that process untrusted user input

Review and modify JSP/Struts configuration files to eliminate forced OGNL evaluation on user-controlled data

Input validation and sanitization

all

Implement strict input validation for all user-supplied data before processing

Implement validation interceptors and sanitize all user inputs in Struts actions

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block OGNL expression patterns
Isolate affected systems in network segments with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check your Struts version and review application code for use of %{...} syntax in Struts tags processing user input

Check Version:

Check the struts-core.jar manifest or application configuration files for version information

Verify Fix Applied:

Verify Struts version is 2.5.30 or later and test that forced OGNL evaluation no longer executes arbitrary code

📡 Detection & Monitoring

Log Indicators:

Unusual OGNL expression patterns in request parameters
Unexpected Java class loading in application logs
Stack traces containing OGNL-related errors

Network Indicators:

HTTP requests containing OGNL expression patterns in parameters
Unusual outbound connections from application servers

SIEM Query:

Search for: (http_request_uri CONTAINS "%7B" OR http_request_body CONTAINS "%7B") AND (http_request_uri CONTAINS "%7D" OR http_request_body CONTAINS "%7D")

📊 Metadata

CVE ID: CVE-2021-31805

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-917

Published: April 12, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/04/12/6 Mailing List,Mitigation,Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-062 Mitigation,Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220420-0001/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.openwall.com/lists/oss-security/2022/04/12/6 Mailing List,Mitigation,Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-062 Mitigation,Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220420-0001/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31805, you might also want to check these: