CVE-2020-17530

What is Apache Struts OGNL?

Apache Struts is a Java web application framework used in enterprise applications worldwide, including financial, government, and healthcare systems. Struts uses Object-Graph Navigation Language (OGNL) for data binding between HTTP parameters and Java objects — OGNL is an expression language that can evaluate arbitrary Java code. When user-supplied HTTP request data is evaluated as OGNL expressions (rather than treated as data), attackers can inject OGNL expressions that execute arbitrary Java code on the server. The history of Apache Struts RCE vulnerabilities (S2-045/CVE-2017-5638, S2-057, S2-059, S2-061) reflects the persistent challenge of preventing OGNL evaluation on user-controlled input.

Overview

CVE-2020-17530 is an OGNL expression injection vulnerability (CWE-917) in Apache Struts — published as S2-061 — where forced OGNL evaluation occurs on raw user input in tag attributes. This is a bypass of S2-059 (CVE-2019-0230), which had partially addressed OGNL injection but left tag attribute processing vulnerable. When alwaysSelectFullNamespace is true in Struts configuration, certain tag attributes undergo OGNL evaluation with user-supplied values, enabling unauthenticated attackers to execute arbitrary Java code. Fixed in Struts 2.5.26. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: OGNL expression injection (CWE-917) in Struts tag attribute processing — when alwaysSelectFullNamespace is enabled and certain Struts tag attributes (such as namespace, method, or action) accept user-supplied values, Struts evaluates those values as OGNL expressions rather than treating them as data strings; an attacker submits an HTTP request with OGNL syntax (%{expression}) in the affected parameter, causing arbitrary Java code execution on the server
• S2-059 bypass: The S2-059 fix (CVE-2019-0230) restricted OGNL evaluation in some contexts but did not fully address tag attribute evaluation paths; CVE-2020-17530 exploits the remaining unpatched evaluation path in tag attribute handling
• No authentication required: The vulnerable OGNL evaluation occurs during HTTP request processing before authentication; any user who can send an HTTP request to the Struts application can trigger OGNL injection without credentials
• Java process privileges: Code executed via OGNL injection runs in the JVM with the privileges of the application server process (often running as a service account with significant filesystem and network access); RCE via OGNL injection is the primary mechanism for attacks like the 2017 Equifax breach (S2-045)
• Struts legacy deployment: Many enterprise Java applications built on Struts 2 have never been migrated — financial institutions, government systems, and large enterprises frequently run decade-old Struts applications; OGNL RCE vulnerabilities in Struts are consistently weaponized within days of disclosure

Discovery

Discovered by security researchers after the S2-059 patch was found incomplete. Apache Struts released S2-061 / Struts 2.5.26 on December 8, 2020, simultaneously with public disclosure. CISA's November 2021 KEV addition reflects active exploitation of Struts applications that had not been updated to 2.5.26.

Exploitation Context

Apache Struts RCE vulnerabilities attract immediate, automated mass exploitation. Within days of S2-061 disclosure, researchers published working PoCs and scanning tools. The history of Struts OGNL RCE vulnerabilities (including the catastrophic Equifax breach via S2-045) means threat actors prioritize Struts targets. Enterprise Java applications built on old Struts versions in financial services, healthcare, and government are the primary targets. Post-exploitation typically involves web shell installation, data exfiltration, and lateral movement using the application server's stored credentials and network access.

Remediation

1. Upgrade Apache Struts to 2.5.26 or later — fixes the OGNL evaluation in tag attributes
2. If immediate upgrade is not possible: configure alwaysSelectFullNamespace to false in Struts configuration as a temporary mitigation (verify the application functions correctly without this setting)
3. Deploy a Web Application Firewall (WAF) with rules blocking OGNL injection patterns (%{, ${, Java class references in HTTP parameters)
4. Review Struts configuration to identify all request-processing components that accept user input in evaluated contexts
5. Establish a process for monitoring Apache Struts security bulletins and applying patches promptly — Struts has a history of high-severity OGNL vulnerabilities; delayed patching directly enables mass exploitation
6. Consider migrating long-running Struts 2 applications to a maintained framework; Struts 2 OGNL injection vulnerabilities reflect a systemic design risk in how the framework handles user input