Apache Struts 2 Remote Code Execution Vulnerability Analysis (CVE-2016-0785)

Apache Struts 2 Remote Code Execution Vulnerability Analysis (CVE-2016-0785)

Apache Struts 2 is one of the world's most popular Java Web Server frameworks. Unfortunately, a security researcher found a remote code execution vulnerability on Struts 2. At present, Apache has released an announcement that the risk level of this vulnerability is high.
Encyclopedia of the red/Black Alliance: Struts 2
Struts 2 is the next-generation product of Struts. It is a new struts 2 framework that is merged Based on Struts 1 and WebWork technologies. The new architecture of Struts 2 is very different from that of Struts 1. Struts 2 takes WebWork as the core and uses an interceptor mechanism to process user requests. This design also enables the business logic controller to completely remove from the ServletAPI, therefore, Struts 2 can be understood as a WebWork update product. Although there are many changes from Struts 1 to Struts 2, the changes in Struts 2 are very small compared to WebWork.
Today, a security researcher found a serious Remote Code Execution Vulnerability (CVE-2016-0785) on Struts 2, so developers and users of Struts 2 should be aware of this vulnerability, to prevent malicious exploitation by attackers.
Affected Struts 2 versions
Struts 2.0.0-Struts 2.3.24.1
Repair suggestions
When you re-allocate parameters that pass in the Struts tag attribute, verification is always performed.
We recommend that you upgrade Struts to version 2.3.25.
The red/Black Alliance will continue to track and report details of this vulnerability. Please pay attention to this vulnerability.