This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Apache Struts 2 CookieInterceptor flaw. π **Consequences**: Remote attackers can execute **arbitrary code** via ClassLoader. Itβs a critical bypass of access controls.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: Improper access control in `CookieInterceptor`. π **Flaw**: When using wildcard `cookiesName`, the system fails to restrict access to the `getClass` method. (CWE not specified in data).
Q3Who is affected? (Versions/Components)
π¦ **Affected**: Apache Struts 2. π **Versions**: 2.3.16.1 and **prior** versions. π **Component**: Specifically the `CookieInterceptor` module.
Q4What can hackers do? (Privileges/Data)
π **Hackers Can**: Send crafted requests to exploit the ClassLoader. π― **Impact**: Execute **arbitrary code** on the server. This implies full system compromise, not just data theft.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: Low/Medium. π **Auth**: Remote exploitation possible. βοΈ **Config**: Depends on using wildcard `cookiesName` values. No local access required.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π’ **Public Exp?**: Yes. π **Evidence**: SecurityFocus mailing list (20140426) and Secunia advisory (59178) confirm active discussion and availability of fixes/exploits.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for Apache Struts 2. π§ͺ **Test**: Look for usage of `CookieInterceptor` with wildcard `cookiesName` patterns. π‘ **Tools**: Use standard CVE scanners for S2-021 (linked in refs).
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed?**: Yes. π¦ **Patch**: Upgrade to **Struts 2.3.16.2** or later. π **Source**: Apache Confluence S2-021 page confirms the GA release with security fix.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Disable or restrict `CookieInterceptor`. π« **Mitigation**: Avoid wildcard `cookiesName` configurations. π **Block**: Filter requests targeting the `getClass` method via WAF if possible.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: HIGH. π¨ **Priority**: Critical. β³ **Reason**: Remote Code Execution (RCE) is available. Immediate patching to 2.3.16.2+ is strongly advised.