CVE-2012-0391
published 2012-01-08CVE-2012-0391: The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-07-21
Exploited in the wild
EPSS
75.07%
99.4th percentile
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | < 2.2.3.1 | 2.2.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b'↗
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'↗
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1↗
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')↗
command'%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec("CMD"))%2b'↗
command'%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec("CMD".split("@")))%2b'↗
- →Detect OGNL injection attempts in HTTP parameters: look for URL-encoded OGNL payloads containing '%23_memberAccess' or '@java.lang.Runtime@getRuntime' in GET/POST parameter values, which indicate exploitation of the ExceptionDelegator type-mismatch code path. ↗
- →Detect OGNL injection via Cookie header: monitor for Cookie headers containing '#_memberAccess' or '\u003d' (Unicode-encoded '=') combined with '@java.lang.Runtime@getRuntime().exec' patterns, as used in the cookie-based attack vector. ↗
- →Detect use of the Struts developer-mode debug endpoint as an attack vector: requests containing 'debug=command&expression=' with OGNL payloads should be flagged, as this endpoint evaluates arbitrary OGNL expressions. ↗
- →The Metasploit module targets the TARGETURI parameter with an INJECT placeholder replaced by OGNL payload; monitor for GET requests to Struts action URLs containing '%2b(' and '%23_memberAccess' in parameter values as a strong exploitation indicator. ↗
- ·The vulnerability affects Apache Struts versions up to and including 2.2.3 (before 2.2.3.1); the Metasploit module specifically targets versions < 2.2.1.1, while the original advisory confirms 2.3.1 and below are vulnerable. Ensure version scoping is correct when applying detections. ↗
- ·The cookie-based and debug-endpoint attack vectors (PoC 2 and 3) were confirmed against Struts 2.2.1.1, 2.2.3.1, and 2.3.1, meaning the fixed version 2.2.3.1 is still vulnerable to those specific vectors; detections should not assume 2.2.3.1 is fully safe. ↗
- ·Developer mode ('debug=command') must be disabled as a workaround; applications running in developer mode expose an additional OGNL expression evaluation endpoint that is independently exploitable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Struts Remote Java Code Execution
osv·2022-05-04
CVE-2012-0391 [CRITICAL] Apache Struts Remote Java Code Execution
Apache Struts Remote Java Code Execution
The `ExceptionDelegator` component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
GHSA
Apache Struts Remote Java Code Execution
ghsa·2022-05-04
CVE-2012-0391 [CRITICAL] CWE-20 Apache Struts Remote Java Code Execution
Apache Struts Remote Java Code Execution
The `ExceptionDelegator` component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
VulnCheck
Apache Struts 2 Improper Input Validation Vulnerability
vulncheck·2012·CVSS 9.8
CVE-2012-0391 [CRITICAL] CWE-20 Apache Struts 2 Improper Input Validation Vulnerability
Apache Struts 2 Improper Input Validation Vulnerability
The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.
Affected: Apache Struts 2
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortiguard.com/encyclopedia/ips/30956; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-07-21
CISA
Apache Struts 2 Improper Input Validation Vulnerability
cisa·2022-01-21·CVSS 9.8
CVE-2012-0391 [CRITICAL] CWE-20 Apache Struts 2 Improper Input Validation Vulnerability
Vulnerability: Apache Struts 2 Improper Input Validation Vulnerability
Affected: Apache Struts 2
The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-0391
Remediation Due Date: 2022-07-21
Red Hat
struts: User input is evaluated as an OGNL expression when there's a conversion error
vendor_redhat·2011-08-05·CVSS 9.8
CVE-2012-0391 [CRITICAL] struts: User input is evaluated as an OGNL expression when there's a conversion error
struts: User input is evaluated as an OGNL expression when there's a conversion error
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclus
No detection rules found.
Exploit-DB
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)
exploitdb·2012-06-05
CVE-2012-0391 Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apache Struts %q{
This module exploits a remote command execution vulnerability in
Apache Struts versions
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'sinn3r' # Metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2012-0391'],
[ 'OSVDB', '78277'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fi
Exploit-DB
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
exploitdb·2012-01-06
CVE-2012-0394 Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
Apache Struts 2
title: Multiple critical vulnerabilities in Apache Struts2
product: Apache Struts2
* OpenSymphony XWork
* OpenSymphony OGNL
vulnerable version: 2.3.1 and below
fixed version: 2.3.1.1
impact: critical
homepage: http://struts.apache.org/
found: 2011-11-18
by: Johannes Dahse, Andreas Nusser
SEC Consult Vulnerability Lab
https://www.sec-consult.com
Vendor description:
Apache Struts2 is a web framework for creating Java web applications. It is
using the OpenSymphony XWork and OGNL libraries. By default, XWork's
ParametersInterceptor treats parameter names provided to actions as OGNL
expressions. A OGNL (Object Graph Navigation Language) expression is a limited
language similar to Java that is tokenized and parsed by the OGNL parser which
invokes appropiate Java methods. This al
Metasploit
Apache Struts Remote Command Execution
metasploit
Apache Struts Remote Command Execution
Apache Struts Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.1.1. This issue is caused because the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Bugzilla
CVE-2012-0391 struts: User input is evaluated as an OGNL expression when there's a conversion error
bugzilla·2012-01-11·CVSS 9.8
CVE-2012-0391 [CRITICAL] CVE-2012-0391 struts: User input is evaluated as an OGNL expression when there's a conversion error
CVE-2012-0391 struts: User input is evaluated as an OGNL expression when there's a conversion error
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0391 to
the following vulnerability:
Name: CVE-2012-0391
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
Assigned: 20120108
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
Reference: http://www.exploit-db.com/exploits/18329
Reference: https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
Reference: http://struts.apache.org/2.x/docs/s2-008.html
Reference: http://struts.apache.org/2.x/docs/version-notes-2311.html
Reference: https://issues.apache.org/jira/browse/WW-3668
Reference: http://secunia.com/advisories/47393
The ExceptionDelegat
arXiv
On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models
arxiv_fulltext·2022-03-16
On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models
On the Use of Fine-grained Vulnerable Code Statements for Software Vulnerability Assessment Models
Triet Huynh Minh Le
CREST - The Centre for Research on Engineering Software Technologies, The University of Adelaide
Adelaide
Australia
[email protected]
M. Ali Babar
CREST - The Centre for Research on Engineering Software Technologies, The University of Adelaide
Adelaide
Australia
Cyber Security Cooperative Research Centre, Australia
[email protected]
## Abstract
Many studies have developed Machine Learning (ML) approaches to detect Software Vulnerabilities (SVs) in functions and fine-grained code statements that cause such SVs.
However, there is little work on leveraging such detection outputs for data-driven SV assessment to give information about exploitability, impa
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329https://issues.apache.org/jira/browse/WW-3668https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttp://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329https://issues.apache.org/jira/browse/WW-3668https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0391
2012-01-08
Published
2022-01-21
Added to CISA KEV
Exploited in the wild