Apache Struts 2 vulnerable to an arbitrary Java method execution


Apache Struts 2 contains an arbitrary Java method execution vulnerability.

Apache Struts 2 is a framework to create Java web applications. Apache Struts 2 contains an arbitrary Java method execution vulnerability due to improper conversion in OGNL expression if a non-string property is contained in action.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Apache Software Foundation
  • Apache Struts 2.0.x
  • Apache Struts versions prior to 2.2.3


If a remote attacker sends a malformed request parameter to a vulnerable system, an arbitrary Java method may be executed. As a result, information such as environment variables may be disclosed, a denial-of-service (DoS) attack may be conducted, or an arbitrary OS command may be executed.

[Update the Software]
Apply the latest version according to the information provided by the developer.
The fix for this issue was contained in Apache Struts released on September 2011.

According to the developer, Apache Struts 2.0.x is no longer supported, thus it is strongly recommended that users should upgrade to Apache Struts 2.3.x.
Vendor Information

Apache Software Foundation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-0838

  1. JVN : JVN#79099262
  2. National Vulnerability Database (NVD) : CVE-2012-0838
Revision History

  • [2012/02/10]
      Web page was published.