CVE-2017-9791

What Is Apache Struts 1 and the Struts 1 Plugin?

Apache Struts 1 was a widely deployed Java MVC web framework that reached end-of-life in 2013. To ease migration to Struts 2, the struts2-struts1-plugin allows legacy Struts 1 actions (ActionForm, ActionMessage) to run within a Struts 2 application. CVE-2017-9791 (S2-048) exploits this compatibility layer — the plugin processes Struts 1 ActionMessage values using the Struts 2 OGNL expression evaluator without proper sanitization. Because Struts 1 itself is end-of-life and the plugin effectively brings EOL code into active Struts 2 deployments, this represents a persistent risk in organizations that never completed their Struts migration.

Overview

CVE-2017-9791 is an OGNL expression injection vulnerability (tracked as Apache security bulletin S2-048) in the Struts 1 plugin for Struts 2. When a Struts 1 action that uses ActionMessage passes a field value as a raw message (rather than looking it up as a resource bundle key), the Struts 2 framework evaluates the value through the OGNL expression engine — allowing an attacker to inject arbitrary OGNL that executes Java code on the server. The vulnerability is unauthenticated (CRITICAL 9.8) and requires no user interaction. Fixed in Struts 2.3.34 and 2.5.13 (July 2017). CISA added CVE-2017-9791 to the KEV catalog in February 2022.

Affected Versions

The vulnerability is only triggered when the application uses the struts2-struts1-plugin and Struts 1 ActionMessage with user-controlled values passed as raw messages.

Technical Details

Root Cause: OGNL Evaluation of Unsanitized ActionMessage Values

CVE-2017-9791 is an improper input validation vulnerability (CWE-20) in the Struts 1 plugin's message processing. The Struts 2 message rendering pipeline evaluates message values through the OGNL expression evaluator. When a Struts 1 ActionMessage is constructed with a user-controlled string that is treated as a raw value (not a key), that string reaches the OGNL evaluator without sanitization.

Exploitation mechanism: An attacker submits a crafted form field containing an OGNL expression — for example:

%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess=#dm).(#cmd='id')...}

The Struts 2 rendering layer evaluates this expression in the context of the server JVM, achieving arbitrary command execution as the application server user.

EOL context: Struts 1 reached end-of-life in 2013 with no further security patches. The struts2-struts1-plugin bridges EOL Struts 1 code into active Struts 2 deployments — carrying forward inherent security risks from a framework that is no longer maintained.

Attack Characteristics

Discovery

Discovered and reported to the Apache Struts security team; published as S2-048 in July 2017, coinciding with the patch release in Struts 2.3.34 and 2.5.13.

Exploitation Context

• Post-Equifax Struts scrutiny: CVE-2017-9791 was published in July 2017 — four months after CVE-2017-5638 (the Equifax breach Struts vulnerability, S2-045); heightened attention on Apache Struts led to rapid weaponization of new Struts advisories
• EOL plugin in production: Many large Java enterprise applications migrated partway from Struts 1 to Struts 2, leaving the struts2-struts1-plugin in production; these applications were vulnerable even if running a fully patched Struts 2 core
• Scanner-driven exploitation: Automated vulnerability scanners and exploitation tools quickly integrated OGNL injection payloads for S2-048, enabling opportunistic mass exploitation
• CISA KEV (2022): Added February 10, 2022 reflecting confirmed exploitation in targeted campaigns against organizations running legacy Struts deployments

Remediation

1. Upgrade to Struts 2.3.34 or 2.5.13+ — install the patched Struts 2 release; the fix prevents raw ActionMessage values from being evaluated as OGNL expressions.

2. Remove the Struts 1 plugin — if the struts2-struts1-plugin is no longer required (migration from Struts 1 is complete), remove it from the classpath entirely; eliminating the plugin removes the attack surface.

3. Complete Struts 1 migration — Struts 1 is EOL and receives no security patches; any application still using Struts 1 or the compatibility plugin should complete migration to Struts 2 or a modern framework to eliminate this class of vulnerability.

4. Apply WAF rules — deploy a web application firewall with Struts OGNL injection signatures to detect and block CVE-2017-9791 exploitation attempts while patching is in progress.

5. Audit Struts usage — inventory all Java web applications for Struts 1 or Struts 2 with the Struts 1 plugin; prioritize patching applications exposed to the internet.