What You Need to Know About the Apache Struts Vulnerability by Gilad David Maayan


Apache Struts is a popular open-source framework, used to create web apps. Due to its popularity, Apache Struts attracts a large number of attackers. The framework has a considerable number of vulnerabilities, one of which was exploited during the notorious Equifax breach, way back in 2017. The framework has since been updated. However, even though these vulnerabilities have been made known and patched in the latest versions, many users have failed to upgrade. 

What Is the Apache Struts Vulnerability?

Apache Struts is an open-source Model-View-Controller (MVC) framework used to create web applications in Java. The Apache Struts vulnerability is a flaw that enables attackers to remotely execute code. 

There are actually multiple vulnerabilities that have been discovered in the last few years which allow this sort of attack in Struts. Of these vulnerabilities, CVE-2017-5638 is the specific vulnerability used in the Equifax credit bureau breach in 2017.

  • CVE-2017-5638
  • CVE-2017-9791
  • CVE-2017-9805 
  • CVE-2018-11776

The most recent vulnerability (CVE-2018-11776), enables attackers to exploit a user input validation flaw. Specifically, attackers can insert Object-Graph Navigation Language (OGNL) expressions in Uniform Resource Identifier (URI) queries. These are sent through insufficiently validated HTTP requests. 

OGNL expressions are used to set object properties. URI queries are used to identify resources, such as documents. This OGNL mechanism has been at the root of several Apache Struts vulnerabilities. This is particularly problematic since Struts uses OGNL for most of its processes.

Who Discovered the Apache Struts Vulnerability?

The most recent Struts vulnerability was discovered by Man Yue Mo, a Semmle security researcher. It was uncovered with Semmle QL technology designed for deep semantic code analysis. This technology enables security teams to search for complex data flow paths using written queries.

Apache Struts Vulnerability Mitigation

To avoid falling victim to this vulnerability, Struts 2.3 users need to ensure that they are currently using the most up to date version of Struts. This applies to any application using the framework since the vulnerability lies at the core of the framework itself. 

Remote code execution vulnerabilities can enable attackers to take control of systems, making these flaws a serious security threat. Struts applications, which are often accessible from the Internet, are particularly vulnerable. These applications typically do not require existing privileges to access and can be readily identified. Once an attacker is aware of vulnerable applications, there is little to stop them from exploiting this flaw.

The specific amount of risk you face is determined by the configuration and architecture of your applications. However, you should not rely on these aspects alone to keep you protected as both can change, exposing the vulnerability if left unpatched.

Should You Continue to Use Apache Struts?

Apache Struts has been available for 18 years and continues to be widely adopted by enterprises across the world. Despite this, the continued discovery of new vulnerabilities is causing some organizations to rethink including the framework. There are several pros and cons to this strategy to consider if you are also thinking about dropping Struts.

Pros of Apache Struts

Pros of Apache Struts stem from its extensive history and community support.

Robust Community Support

Despite its age, the Struts community continues to thrive, providing fast and consistent response to security threats. It actively discloses up to date vulnerability information and releases patches in a timely manner. This significantly offsets the risks of any vulnerabilities that are found.

Although it may seem as though Struts is especially vulnerable, this isn’t necessarily true. Part of the reason for its number of known vulnerabilities is the consistent review and oversight that is given to the project. Other contributors are the well-established security and disclosure policies the project is held to. Comparable projects lacking this structure and oversight likely have similar numbers of vulnerabilities that have simply not been disclosed.

Active Support for Multiple Versions

Multiple versions of Struts are supported, with vulnerabilities and quality issues being corrected accordingly. As vulnerabilities are discovered, the community is informed of all affected versions and is directed to the appropriate patch. This is different than many other open-source projects which may only offer support for the most recent versions.

Cons of Apache Struts

Cons of Apache Struts stem from advancing technology and increasing demands for security.

Ongoing Vulnerabilities

A number of the vulnerabilities disclosed for Struts are tied to changes made months or years prior. This means there was a significant amount of time during which attackers could exploit these vulnerabilities before a patch was available or users were aware. Due to this time lag, a growing number of users are calling on organizations to stop using Struts.

Struts Isn’t Advancing With Technology

Apache Struts is a well-established project but is based on outdated technologies. It is built as a monolithic framework, not a set of microservices as many newer projects are. Likewise, because of its age, it includes the work of a host of developers, building upon each others’ work in a variety of methods and styles. This patchwork effort leads to greater code complexity and decreased efficiency, and makes it harder to address bugs reliably.


Even though Apache Struts has an active community, vulnerability discovery and remediation can take a long time. That means vulnerabilities can be exploited long before contributors had time to patch and then release an upgrade. This time lag is due to Apache Struts’ outdated technology, which uses a monolithic framework. 

For some, the advantages of using Apache Struts outweigh these huge security disadvantages. However, if you do continue to use this framework, at least upgrade as soon as a new version comes out. This can help you ensure that you’re at least patching the latest known vulnerability.

About the Author:

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

February 17, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023