Threat Hunt Deep Dives: Apache Struts RCE (CVE-2020-17530)

Austin Jackson|January 21, 2021
Blog

Late last year, an Apache Struts Remote Code Execution (RCE) vulnerability (CVE-2020-17530) was discovered. In Apache Struts versions 2.0.0 – 2.5.25 a forced Object Graph Navigational Language (OGNL) double evaluation of a tag’s dynamic attributes may lead to RCE. Apache Struts is one of the most popular web frameworks on the internet, and is often a target by malicious threat actors due to its public facing nature. This RCE vulnerability is dependent on how a specific Apache Struts web application is configured which can make detection, defense, and risk analysis a complex task.

New call-to-action

The vulnerability can be exploited by sending a specially crafted HTTP request containing an OGNL payload to a vulnerable server. The Apache Struts framework can be forced to perform a dobule evalution of attributes assigned to certain tag’s attributes (such as “id”). The value passed to the Apache Struts application will be evaluated for a second time when the tag’s attributes are rendered.

If you are using Apache Struts in your environment, this vulnerability has been patched since Apache Struts v2.5.26 release and we highly recommend updating as soon as possible. This RCE vulnerability has been seen in the wild and is currently being used in active, malicious campaigns.

If you’d like to learn more about this vulnerability, you can find a proof of concept exploit for CVE-2020-17530 written in Python on the Cyborg Security GitHub account: https://github.com/CyborgSecurity/CVE-2020-17530


For more deep dives, view our latest, Threat Hunt Deep Dives: SolarWinds’ Supply-Chain Compromise (Solorigate / SUNBURST Backdoor).

New call-to-action

Blog

Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

June 3, 2021

Threat Hunt Deep Dives: User Account Control Bypass Via Registry Modification
Read more
White Paper

May 6, 2021

Ransomware: Hunting for Inhibiting System Backup or Recovery
Read more
White Paper

March 23, 2021

Living off the Land (LotL) – RDP Hijacking
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.