Apache Struts 2 Arbitrary Code Execution Vulnerabilities (CVE-2016-3087)
Apache Struts 2 Arbitrary Code Execution Vulnerabilities (CVE-2016-3087)
Release date:
Updated on:
Affected Systems:
Apache Group Struts 2.3.20-2.3.28
Description:
CVE (CAN) ID: CVE-2016-3087
Struts2 is an extensible framework for building enterprise-level Jave Web applications.
Struts 2.3.20-Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) versions. When the REST plug-in is used, if Dynamic Method Invocation is enabled, arbitrary code may be executed on the server through malicious expressions.
<* Source: Alvaro Munoz alvaro dot munoz at hpe dot com
*>
Suggestion:
Vendor patch:
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Https://struts.apache.org/docs/s2-033.html
Https://struts.apache.org/docs/version-notes-23203.html
Https://struts.apache.org/docs/version-notes-23243.html
Https://struts.apache.org/docs/version-notes-2328.html
This article permanently updates the link address: