tencent cloud

Web Application Firewall

Release Notes and Announcements
Release Notes
Product Announcement
Security Advisory
User Guide
Product Introduction
Overview
Product Category
Strengths
Scenarios
Plans and Editions
Supported Regions
Basic Concepts
Purchase Guide
Billing Overview
Purchase Guide
WAF Plan Upgrade Method
Renewing Connections
Payment Overdue
Refund
Getting Started
Getting Started
FAQs for Beginners
Operation Guide
Overview
Connection Management
Security Operations
Protection Policies
Service Settings
Practical Tutorial
WAF CCP Overview
Bot Management
API Security
Integration
Protection Configuration
API Documentation
History
Introduction
API Category
Making API Requests
Asset Management APIs
Billing APIs
Protection Settings APIs
Other APIs
IP Management APIs
Integration APIs
Log Service APIs
Security Overview APIs
Rule Engine APIs
Data Types
Error Codes
FAQS
Product Consultation
Connection
Usage
Permissions
Sandbox Isolation Status
Service Level Agreement
WAF Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationWeb Application FirewallRelease Notes and Announcements Security AdvisoryNotice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)

Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)

PDF
Focus Mode
Font Size
Last updated: 2022-06-23 11:14:27
On August 13, 2020, Tencent Security noticed that Apache Struts issued a security advisory for the S2-059 Struts remote code execution vulnerability and S2-060 Struts denial of service vulnerability.

Vulnerability Details

Apache Struts 2 is a web framework for developing Java EE network applications.
S2-059 Struts remote code execution vulnerability (CVE-2019-0230): In cases such as improper use of certain tags, OGNL expression injection may exist, thereby causing a remote code execution vulnerability. 
S2-060 Struts denial of service vulnerability (CVE-2019-0233): It may cause denial of service attacks when files are uploaded and manipulated.

Affected Versions

Apache Struts 2.0.0–2.5.20

Safe Versions

Apache Struts >= 2.5.22

Suggestions for Fix

Based on the vulnerability information, Tencent Security recommends you:
Upgrade the Apache Struts framework to the latest version.
Use Tencent Cloud WAF, an AI-based one-stop web security solution. The most typical characteristic of the S2-059 vulnerability is that it uses the OGNL language. The Tencent Security technical team conducted a targeted study on OGNL expressions, blocked attacks against such expressions, and integrated the defense capability into WAF. Therefore, as long as the vulnerability is attacked based on OGNL expressions, WAF can directly block them. In addition, the intelligent engine of WAF also provides intelligent defense against SQL, XSS, and command execution attacks. Backed by AI technologies, it can reasonably and effectively block unknown security vulnerabilities for improved business continuity.

References

Official advisory:
CVE-2019-0230
CVE-2019-0233
Previous Topic: Jenkins Security Advisory for SeptemberNext Topic: Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback