CVE-2021-31805 Overview
CVE-2021-31805 is a critical remote code execution vulnerability affecting Apache Struts, one of the most widely deployed Java web application frameworks. This vulnerability represents an incomplete fix for the earlier CVE-2020-17530, where certain tag attributes could still perform a double evaluation when developers applied forced OGNL (Object-Graph Navigation Language) evaluation using the %{...} syntax. When forced OGNL evaluation is applied to untrusted user input, attackers can achieve remote code execution and compromise the security of affected systems.
Critical Impact
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable Apache Struts servers, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Apache Struts versions 2.0.0 through 2.5.29
- Applications using Struts tags with forced OGNL evaluation (%{...}) on user-controlled input
- Web applications deployed on affected Struts versions that process untrusted input
Discovery Timeline
- April 12, 2022 - CVE-2021-31805 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-31805
Vulnerability Analysis
This vulnerability stems from an incomplete security patch for CVE-2020-17530 (also known as S2-061). The original vulnerability allowed OGNL injection through certain tag attributes, and while a fix was implemented, it failed to address all exploitation vectors. Apache Struts uses OGNL as its expression language for data transfer and type conversion between the HTTP request parameters and Java objects.
When a developer uses the forced OGNL evaluation syntax %{...} within certain tag attributes and processes user-supplied input, the framework performs a double evaluation. This means that user input containing OGNL expressions gets evaluated twice, allowing attackers to inject and execute arbitrary OGNL code. Since OGNL can access Java classes and execute methods, successful exploitation enables arbitrary code execution on the server.
The vulnerability is particularly dangerous because it requires no authentication and can be exploited over the network with low complexity. The attack does not require user interaction, making it suitable for automated exploitation campaigns.
Root Cause
The root cause of CVE-2021-31805 lies in the improper handling of OGNL expression evaluation within Apache Struts tag attributes. Specifically, the security controls implemented to prevent OGNL injection in CVE-2020-17530 did not adequately cover all tag attributes where forced evaluation could occur. The framework's architecture allows certain tag parameters to undergo double evaluation, meaning if a developer uses %{...} syntax on user-controlled data, the input is processed twice through the OGNL interpreter. This creates an injection point where malicious OGNL expressions bypass the initial sanitization and execute during the second evaluation pass.
Attack Vector
The attack vector for CVE-2021-31805 is network-based, targeting web applications that use vulnerable versions of Apache Struts. An attacker crafts HTTP requests containing malicious OGNL expressions designed to be evaluated during the double-evaluation process.
The exploitation flow typically involves:
- Identifying a Struts application using vulnerable tag attributes with forced OGNL evaluation
- Crafting an HTTP request with OGNL injection payloads embedded in parameters processed by vulnerable tags
- The malicious OGNL expression bypasses initial sanitization and executes during the second evaluation
- The attacker achieves code execution with the privileges of the web application server
The vulnerability manifests when developers use the %{...} forced evaluation syntax on tag attributes that receive untrusted user input. Attackers can leverage this to call Java runtime methods, spawn system processes, read sensitive files, or establish reverse shells. For detailed technical information on exploitation mechanics, refer to the Apache S2-062 Vulnerability Advisory.
Detection Methods for CVE-2021-31805
Indicators of Compromise
- Unusual HTTP requests containing OGNL expression patterns such as %{, @java.lang.Runtime, or ProcessBuilder
- Web server logs showing requests with encoded or obfuscated Java class references
- Unexpected child processes spawned by the Java application server (Tomcat, JBoss, etc.)
- Outbound network connections from the web application to unfamiliar external hosts
- Evidence of command execution artifacts such as shell histories or dropped files in web-accessible directories
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block OGNL injection patterns in HTTP requests
- Deploy network intrusion detection systems (IDS) with signatures for Apache Struts exploitation attempts
- Enable verbose logging on Struts applications to capture detailed request parameters for forensic analysis
- Use SentinelOne's behavioral AI to detect anomalous process execution chains originating from Java processes
Monitoring Recommendations
- Monitor Java application server processes for unusual child process creation (cmd.exe, sh, bash, powershell)
- Track outbound network connections from web application servers for command-and-control communication attempts
- Implement file integrity monitoring on web application directories to detect webshell deployment
- Set up alerting for high volumes of requests containing special characters commonly used in injection attacks
How to Mitigate CVE-2021-31805
Immediate Actions Required
- Upgrade Apache Struts to version 2.5.30 or later immediately
- Audit application code to identify any usage of forced OGNL evaluation (%{...}) with user-controlled input
- Implement input validation and output encoding to prevent OGNL injection
- Deploy WAF rules to block known OGNL injection patterns as a defense-in-depth measure
- Restrict network access to web application servers to minimize exposure
Patch Information
Apache has released version 2.5.30 which addresses this vulnerability by improving the security controls around OGNL evaluation. Organizations should apply this patch immediately given the critical severity and network-exploitable nature of this vulnerability. For detailed patch information and upgrade instructions, refer to the Apache S2-062 Vulnerability Advisory. Additional vendor-specific guidance is available from Oracle CPU July 2022 Security Alert for Oracle products incorporating Apache Struts.
Workarounds
- Avoid using forced OGNL evaluation (%{...}) syntax on any user-controllable input
- Implement strict input validation to reject requests containing OGNL expression patterns
- Use a reverse proxy or WAF to filter potentially malicious requests before they reach the Struts application
- Apply the principle of least privilege to the account running the web application server
# Example: WAF rule pattern to block common OGNL injection attempts
# Add to ModSecurity or similar WAF configuration
SecRule REQUEST_URI|REQUEST_BODY "@rx (%\{|@java\.lang\.|ProcessBuilder|Runtime\.getRuntime)" \
"id:100001,phase:2,deny,status:403,msg:'Potential OGNL Injection Attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
