The following security vulnerability has been under investigation by Forcepoint Engineering since May 2, 2016.
Last update: May 16, 2016
Description of vulnerability
From CVE website: Apache Struts 2.x before 22.214.171.124, 2.3.24.x before 126.96.36.199, and 2.3.28.x before 188.8.131.52, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
The Apache Struts 2 documentation site describes the vulnerability as follows in its Security Bulletin S2-032:
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
See http://struts.apache.org/docs/s2-032.html for more details.
What is the risk to Forcepoint products?
The following are considered not vulnerable:
You must answer this question.
This field is required.