Apache Struts - Remote Code Execution (Log4Shell - CVE-2021-44228) (CVE-2021-44228)

Apache Struts is affected by a Remote Code Execution vulnerability, located in the Log4j logging library. The root cause of the vulnerability is improper input validation in the JNDI functionality implemented in Apache Log4j <= 2.14.1 which is used by Apache Struts. A feature called "message lookup substitution", which is enabled by default in the affected versions, allows attackers to load and execute arbitrary Java code from a remote LDAP server. Furthermore, multiple protocols are supported in the JNDI lookups, including LDAP, LDAPS, DNS and RMI. Therefore, if an attacker can control the log messages and inject arbitrary code through one of the input parameters or in the HTTP headers, he can create a malicious Java class on a controlled server and the vulnerable server will use the lookup method to execute the Java class from the LDAP/LDAPS/DNS/RMI server. All the versions before 2.17.1 are affected.

Apache Struts 漏洞受远程代码执行影响，该漏洞位于 Log4j 日志库中。此漏洞的根本原因在于 Apache Log4j <= 2.14.1 中实现的 JNDI 功能输入验证不当，而 Apache Struts 正使用该功能。一种名为“消息查找替换”的功能，在受影响版本中默认启用，允许攻击者从远程 LDAP 服务器加载并执行任意 Java 代码。此外，JNDI 查找支持多种协议，包括 LDAP、LDAPS、DNS 和 RMI。因此，如果攻击者能够控制日志消息并通过其中一个输入参数或 HTTP 标头注入任意代码，他可以在受控服务器上创建恶意 Java 类，而存在漏洞的服务器将使用查找方法从 LDAP/LDAPS/DNS/RMI 服务器执行该 Java 类。所有低于 2.17.1 版本的版本均受影响。