SummaryA crafted XML request can be used to perform a DoS attack when using the Struts REST plugin
Who should read this
All Struts 2 developers and users which are using the REST plugin
Impact of vulnerability
A DoS attack is possible when using XStream handler with the Struts REST plugin
Maximum security rating
Upgrade to Struts 2.5.16
Struts 2.1.1 - Struts 22.214.171.124
Yevgeniy Grushka & Alvaro Munoz from HPE
The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload.
If you are using the REST plugin, upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.
No backward incompatibility issues are expected.
Use Jackson XML handler instead of the default XStream handler as described here.