A vulnerability is found in Apache Struts that could allow remote code execution. A remote attacker could exploit the vulnerability by passing a malicious expression to execute arbitrary code on the target server when Dynamic Method Invocation (DMI) is enabled.
Reports indicate that exploit code was released and the vulnerability is being actively exploited in targeted attacks.
A successful attack could lead to arbitrary code execution on an affected system.
Users should upgrade Apache Struts to 2.3.20.3, 2.3.24.3 or 2.3.28.1 to address the issue. The update is available at:
https://struts.apache.org/downloads.html
It is also recommended that Dynamic Method Invocation should be disabled if possible.
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
http://struts.apache.org/docs/s2-032.html
https://www.hkcert.org/my_url/en/alert/16042801
http://www.cert.org.cn/publish/main/9/2016/20160427071233907846865/20160427071233907846865_.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3081