Bugzilla – Bug 982572
VUL-0: CVE-2016-3087: struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
Last modified: 2016-06-01 13:47:29 UTC
via rh bugzilla and struts upstream https://struts.apache.org/docs/s2-033.html All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution Maximum security rating High Recommendation Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1. Affected Software Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) Reporter Alvaro Munoz alvaro dot munoz at hpe dot com CVE Identifier CVE-2016-3087 Problem It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin. Solution Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1. Backward compatibility No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1 Workaround Disable Dynamic Method Invocation or implement your own version of RestActionMapper.
this issue only affects struts2. we only ship struts1, which does not have the dynamic method invocation
resolved invaliud