edit-icon download-icon

[Vulnerability notice] CVE-2017-12611: Remote command execution vulnerability in Freemarker tag of Struts2 (S2-053)

Last Updated: Apr 08, 2018

On September 6, 2017, Struts officially released the medium-risk vulnerability CVE-2017-12611. Under certain conditions, if a developer uses an incorrect structure in the Freemarker tag, remote code execution may occur, which is risky.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-12611

Vulnerability name

Struts2 Freemarker tag remote command execution vulnerability (S2-053)

Vulnerability rating

Medium

Vulnerability description

When expression constants or forced expressions are used in the Freemarker tag, using the requested value may result in remote code execution vulnerability.

  1. <@s.hidden name="redirectUri" value=redirectUri />
  2. <@s.hidden name="redirectUri" value="${redirectUri}" />

Condition and method of exploitation

An attacker can remotely exploit this vulnerability only when the Debug mode is enabled.

Affected scope

  • Struts 2.0.1 - 2.3.33
  • Struts 2.5 - 2.5.10

The default configuration is not affected.

Vulnerability detection

Check whether the Freemarker tag is writable and an affected version of Struts is used.

How to fix or mitigate

Do not use such constructions in your code or use read-only properties to initialize the value attribute (property with getter only).

You can upgrade to Apache Struts version 2.5.12 or 2.3.34 which contains more restricted Freemarker configuration but removing vulnerable constructions is preferable.

Reference

[1]. https://struts.apache.org/docs/s2-053.html

Thank you! We've received your feedback.