All Products
Document Center

[Vulnerability notice] Remote command execution vulnerability in Struts 2

Last Updated: May 07, 2018


Apache Struts is a free, open-source, MVC framework to create elegant modern Java web applications.

When the dynamic method invocation (Dynamic Method Invocation) is enabled for Struts, attackers may use the REST plug-in to run remote code.

Affected versions

Struts 2.3.20 - 2.3.28


  • Use Alibaba Cloud Security Web Application Firewall to intercept the attacking code for this vulnerability.

  • In the struts.xml file, set struts.enable.DynamicMethodInvocation to False.

  • Upgrade Struts to version 2.5 or later versions from the official website.