SummaryPossible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests
Maximum security rating
Struts 2.1.6 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
The REST Plugin is using a
XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:
The best option is to remove the Struts REST plugin when not used. Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies). Another options is to limit th plugin to server normal pages and JSONs only:
Disable handling XML pages and requests to such pages
Register the handler by overriding the one provided by the framework in your