CVE-2012-0391

What is Apache Struts 2?

Apache Struts 2 is a widely used open-source Java MVC web framework for building enterprise web applications. It is particularly prevalent in large financial institutions, government agencies, and enterprise environments — and was the framework underlying the Equifax web portal breached in 2017. Struts 2 uses OGNL (Object-Graph Navigation Language) as its expression language, evaluating OGNL expressions throughout the request processing pipeline. This tight integration between OGNL evaluation and request handling has made Struts 2 the source of multiple critical OGNL injection vulnerabilities.

Overview

CVE-2012-0391 is an OGNL injection vulnerability in the ExceptionDelegator interceptor of Apache Struts 2. When an invalid action name is submitted and causes an exception, the ExceptionDelegator logs the exception message — but the action name itself is evaluated as an OGNL expression. An attacker who crafts a request with an action name containing OGNL code can achieve arbitrary Java code execution on the server, unauthenticated.

Apache fixed this in Struts 2.2.3.1, released January 4, 2012.

Affected Versions

Technical Details

Apache Struts 2 uses OGNL for expression evaluation in views, interceptors, and action processing. OGNL can access the Java runtime environment, allowing expressions like (#_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime().exec('id')) to execute operating system commands.

The ExceptionDelegator interceptor handles exceptions thrown during action processing and formats error messages that may include the action name. The vulnerability occurs because the action name from the URL is evaluated as an OGNL expression without sanitization when an exception is triggered.

Exploitation:

GET /struts2-showcase/ajax/example5/%25%7B%22hello%22%7D.action HTTP/1.1

By encoding OGNL expressions in the action name, an attacker can inject and execute arbitrary Java code with the privileges of the application server process (often running as a privileged service account).

This is part of a recurring pattern of Struts 2 OGNL vulnerabilities — CVE-2012-0391 preceded the more famous CVE-2017-5638 (which triggered the Equifax breach) by five years, demonstrating the persistence of this vulnerability class in the Struts 2 codebase.

Discovery

The vulnerability was discovered through security research into Struts 2's OGNL evaluation pipeline and responsibly disclosed to the Apache Struts team, resulting in the 2.2.3.1 patch.

Exploitation Context

CISA confirmed exploitation in the wild. Apache Struts 2 vulnerabilities are heavily targeted by automated scanners and threat actors because Struts applications are often exposed directly to the internet (web portals, customer-facing applications) and many organizations lag in patching Java web frameworks relative to OS-level patches. Successful exploitation gives unauthenticated code execution as the web server process — the highest-impact initial access short of authenticated exploits.

Remediation

1. Upgrade to Struts 2.2.3.1 or later — or to the latest stable release (2.5.x+)
2. Struts 2.3.x and 2.5.x lines both received long-term support; use the latest release in the supported branch
3. If immediate upgrade is not possible, consider disabling the ExceptionDelegator interceptor (will break error handling but eliminates this specific vector)
4. Deploy a WAF rule to detect OGNL injection patterns (%{, #, Java class references) in action names and request parameters
5. Enforce least-privilege for the application server process account — limit file system write access and outbound network connections to reduce the impact of a successful exploit
6. Audit exposed Struts 2 applications for version and patch status using software composition analysis (SCA) tools