CVE-2020-17530 Overview
CVE-2020-17530 is a remote code execution vulnerability in Apache Struts 2 tracked as advisory S2-061. The flaw stems from forced Object-Graph Navigation Language (OGNL) evaluation performed on raw user-supplied input passed through certain tag attributes. Attackers who control values that reach these attributes can inject OGNL expressions that the framework evaluates server-side, leading to arbitrary code execution under the privileges of the application server. Apache Struts versions 2.0.0 through 2.5.25 are affected, and the issue has been incorporated into multiple Oracle product advisories. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog [CWE-917].
Critical Impact
Unauthenticated network attackers can achieve remote code execution on vulnerable Apache Struts 2 deployments by injecting OGNL expressions into tag attributes that accept raw user input.
Affected Products
- Apache Struts 2.0.0 through 2.5.25
- Oracle Business Intelligence 12.2.1.3.0 and 12.2.1.4.0, Oracle Communications Diameter Intelligence Hub 8.0.0–8.2.3, Oracle Communications Policy Management 12.5.0
- Oracle Communications Pricing Design Center 12.0.0.3.0, Oracle Financial Services Data Integration Hub 8.0.3/8.0.6, Oracle Hospitality OPERA 5.6, Oracle MySQL Enterprise Monitor 8.0.23
Discovery Timeline
- 2020-12-11 - CVE-2020-17530 published to the National Vulnerability Database
- 2020-12-11 - Apache publishes the S2-061 security advisory
- 2021-01-15 - NetApp releases coordinated advisory NTAP-20210115-0005
- 2021-01 through 2022-04 - Oracle ships patches across multiple Critical Patch Updates
- 2025-10-27 - Last updated in the NVD database
Technical Details for CVE-2020-17530
Vulnerability Analysis
Apache Struts 2 uses OGNL as its expression language to bind request values to Java objects and render dynamic content in JSP tags. The S2-061 issue is a regression following the earlier S2-059 fix. Although Struts added sandboxing for OGNL, certain tag attributes still re-evaluate attribute values that already contained an evaluated expression. When developers place user-controllable values into tag attributes that are subject to forced OGNL evaluation, an attacker can submit a payload that the framework parses as an expression rather than as data. The expression executes inside the Struts ValueStack with access to Java reflection APIs, enabling the attacker to invoke java.lang.Runtime or ProcessBuilder and run operating system commands.
Root Cause
The root cause is forced double evaluation of OGNL expressions in tag attributes [CWE-917]. The sandbox introduced in earlier Struts releases blocks direct access to dangerous classes, but the second-stage evaluation re-parses attribute content that was originally treated as a literal string. Sandbox bypass techniques published after disclosure show that attackers can construct expressions that escape the OGNL restrictions and reach unrestricted reflection.
Attack Vector
Exploitation requires sending a crafted HTTP request to an endpoint whose backing JSP or template places attacker-controlled input into a vulnerable tag attribute. No authentication or user interaction is required. The payload is delivered as a parameter value containing an OGNL expression wrapped in %{...} syntax. When the server renders the response, the framework evaluates the injected expression and the resulting command runs with the privileges of the Struts application process. Public proof-of-concept content for S2-061 is referenced in the Packet Storm and JVN advisories listed below.
No verified exploit code is reproduced here. Technical details and payload structure are documented in the Apache S2-061 Advisory and the Packet Storm Exploit.
Detection Methods for CVE-2020-17530
Indicators of Compromise
- HTTP request parameters or URI components containing %{, ${, or (# sequences targeting Struts endpoints
- Outbound network connections from the Java application process to unexpected hosts shortly after request processing
- Java application processes spawning child processes such as sh, bash, cmd.exe, powershell.exe, curl, or wget
- Unexpected files written into the Struts deployment directory or WEB-INF paths
Detection Strategies
- Inspect web server and application logs for tag attribute values containing OGNL syntax markers like %{ or references to @java.lang.Runtime@, ProcessBuilder, or Class.forName
- Hunt for parent-child process anomalies where the JVM running Struts spawns shell or scripting interpreters
- Correlate WAF or reverse proxy alerts on OGNL-style payloads with downstream endpoint telemetry on the same host
Monitoring Recommendations
- Enable verbose logging of incoming parameter names and values for Struts endpoints and forward them to a centralized log platform for retention
- Monitor outbound egress from application servers and alert on direct connections to non-corporate destinations
- Track creation of new files under web application directories and changes to scheduled tasks or cron entries on application hosts
How to Mitigate CVE-2020-17530
Immediate Actions Required
- Upgrade Apache Struts to version 2.5.26 or later, which addresses S2-061 by removing forced double OGNL evaluation
- Apply the relevant Oracle Critical Patch Updates for Business Intelligence, Communications, Financial Services, Hospitality, and MySQL Enterprise Monitor products
- Audit JSP templates and custom tags for attributes that consume user-controlled values and refactor them to use bound model fields instead of raw request parameters
Patch Information
Apache addressed the vulnerability in Struts 2.5.26 as documented in the Apache S2-061 Advisory. Oracle shipped fixes across the Oracle CPU January 2021, Oracle CPU April 2021, Oracle CPU July 2021, Oracle CPU October 2021, and Oracle CPU January 2022 bulletins. NetApp coordination is documented in the NetApp Security Advisory. Federal agencies should review the CISA Known Exploited Vulnerability entry for binding remediation dates.
Workarounds
- Deploy web application firewall rules that block request parameters and headers containing OGNL markers such as %{, ${, (#, and references to reflection classes
- Restrict outbound network access from application servers so that successful exploitation cannot reach attacker-controlled callback infrastructure
- Remove forced OGNL evaluation patterns from custom Struts tags by passing model values rather than re-evaluating raw attribute strings
# Verify installed Struts version in a deployed application
unzip -p /path/to/app.war WEB-INF/lib/struts2-core-*.jar | \
unzip -p - META-INF/MANIFEST.MF | grep -i 'Implementation-Version'
# Example WAF rule (ModSecurity) to block OGNL markers in query and body
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS \
"@rx (?i)(%\{|\$\{|\(#|@java\.lang\.Runtime@|ProcessBuilder)" \
"id:1017530,phase:2,deny,status:403,msg:'Possible Struts S2-061 OGNL injection'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
