September 02, 2020

Analysis of CVE-2019-2030: OGNL Expression Language Vulnerability

by Manish Sardiwal


In mid of August, Apache released a security bulletin S2-059 to address a vulnerability CVE-2019-0230. CVE-2019-0230 is an OGNL expression language vulnerability, which may lead to Remote Code Execution in the context of Apache Server process. Object-Graph Navigation Language (OGNL) is an expression language for Java which is used to get and set properties and execute methods of Java classes in Java web applications. Expression language is a popular and widely used language in web applications, but it also has security flaws due to its capability of creating and executing codes.  In this blog we will discuss exploitation of this vulnerability and detection by Prismo.


Exploitation details of CVE-2019-0230 The vulnerability is in using ognl expression syntax in Apache Struts tag attributes. If an application is using ognl expression syntax in Struts tag attributes, it gets evaluated as an ognl expression. If the input value for such attributes is getting modified or controlled from user input, an attacker can send a crafted input to execute malicious ognl expression. A working exploit POC and test application was released on github after the release of Apache security advisory. In the following statement the “id” attribute is evaluated as an ognl expression, if the value of ‘id’ is getting modified using raw and unsanitized user input, an attacker can send a crafted request to exploit it and execute malicious ognl expression. <s:a id="%{id}" href="onlytest">CVE-2019-0230 Exploit</s:a> The following HTTP request to POC test application is leading to remote code execution and listing the files in the current directory. The “id” parameter of HTTP GET request is consumed as input value for the “id” attribute of Struts “a” tag. This results in executing malicious expression language string in the context of the Apache server process.


cve-2019-0230-image2-2 Figure 1: Malicious HTTP request to exploit CVE-2019-0230


The exploitation of this vulnerability depends on how the web application is consuming the user input in struts tag attributes. The http request parameter can be different and requires to be application specific.


Prismo’s Detection

Figure 2 shows the detection of CVE-2019-0230 attack, which leads to remote code execution. By instrumenting the web application, the algorithm uses data flow analysis to trace the flow of data from methods that accept user inputs to the program execution functions. The stack trace is then used to validate if the data flow is malicious or benign, leading to vulnerability detection. cve-2019-0230-image1-2 Figure 2: Prismo detecting the exploit attack as Expression Language Vulnerability RCE



The blog shares analysis of the recently released CVE-2019-0230 in Apache Struts framework version Struts 2.0.0 to version 2.5.20. In this blog, we further share the detection of vulnerability by instrumenting web applications. Detection of vulnerability by instrumenting application provides an inherent advantage. It not only detects the exploitation of the vulnerability but also identifies the vulnerable code path with each detected attempt of exploitation.  If the vulnerable code path gets fixed, it will reduce alerts increasing the complexity to exploit web applications.