- Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
Last updated: 2022-06-23 11:14:27
On August 13, 2020, Tencent Security noticed that Apache Struts issued a security advisory for the S2-059 Struts remote code execution vulnerability and S2-060 Struts denial of service vulnerability.
Vulnerability Details
Apache Struts 2 is a web framework for developing Java EE network applications.
S2-059 Struts remote code execution vulnerability (CVE-2019-0230): In cases such as improper use of certain tags, OGNL expression injection may exist, thereby causing a remote code execution vulnerability.
S2-060 Struts denial of service vulnerability (CVE-2019-0233): It may cause denial of service attacks when files are uploaded and manipulated.
Affected Versions
Apache Struts 2.0.0–2.5.20
Safe Versions
Apache Struts >= 2.5.22
Suggestions for Fix
Based on the vulnerability information, Tencent Security recommends you:
Upgrade the Apache Struts framework to the latest version.
Use Tencent Cloud WAF, an AI-based one-stop web security solution. The most typical characteristic of the S2-059 vulnerability is that it uses the OGNL language. The Tencent Security technical team conducted a targeted study on OGNL expressions, blocked attacks against such expressions, and integrated the defense capability into WAF. Therefore, as long as the vulnerability is attacked based on OGNL expressions, WAF can directly block them.
In addition, the intelligent engine of WAF also provides intelligent defense against SQL, XSS, and command execution attacks. Backed by AI technologies, it can reasonably and effectively block unknown security vulnerabilities for improved business continuity.
References
Official advisory:
Yes
No
Was this page helpful?