Summary
A crafted XML request can be used to perform a DoS attack when using the Struts REST pluginWho should read this | All Struts 2 developers and users which are using the REST plugin |
---|---|
Impact of vulnerability | A DoS attack is possible when using XStream handler with the Struts REST plugin |
Maximum security rating | Moderate |
Recommendation | Upgrade to Struts 2.5.16 |
Affected Software | Struts 2.1.1 - Struts 2.5.14.1 |
Reporter | Yevgeniy Grushka & Alvaro Munoz from HPE |
CVE Identifier | CVE-2018-1327 |
Problem
The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload.
Solution
If you are using the REST plugin, upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Use Jackson XML handler instead of the default XStream handler as described here.