Child pages
  • S2-056
Skip to end of metadata
Go to start of metadata

Summary

A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin

Who should read this

All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability

A DoS attack is possible when using XStream handler with the Struts REST plugin

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.5.16

Affected Software

Struts 2.1.1 - Struts 2.5.14.1

Reporter

Yevgeniy Grushka & Alvaro Munoz from HPE

CVE Identifier

CVE-2018-1327

Problem

The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload.

Solution

If you are using the REST plugin, upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Use Jackson XML handler instead of the default XStream handler as described here.

 

  • No labels