A critical Remote Code Execution (RCE) vulnerability for Apache Struts, CVE-2021-31805, has been announced simultaneously with an available patch. The US Cybersecurity and Infrastructure Agency (CISA) recommended that all administrators upgrade to the latest Struts 2 version. Apache Struts is a highly popular open-source application development framework used by Java web developers for building model–view–controller (MVC) apps. The vulnerability stems from an incomplete patch of a critical Object-Graph Navigation Language (OGNL) vulnerability in Struts, CVE-2020-17530.
The bug stems from specific circumstances. Specifically, using forced OGNL evaluation on untrusted user input can lead to Remote Code Execution and security degradation. Therefore, mitigations include excluding the use of forced OGNL within webapps. However, given that Proof of Concept (POC) code for the 2020 vulnerability is available to threat actors and a code review may not be feasible, it is recommended to patch or upgrade to Struts 2.5.30 as soon as possible. While CISA has not reported any use of this vulnerability in the wild, post-exploitation threat hunting as one component of a defense-in-depth strategy is highly recommended.