You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Summary

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.5.13

Affected Software

Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Reporter

Man Yue Mo  <mmo at semmle dot com> from Semmle Ltd lgtm.com

CVE Identifier

CVE-2017-9805

Problem

The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

Solution

Upgrade to Apache Struts version 2.5.13.

Backward compatibility

It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:

  • org.apache.struts2.rest.handler.AllowedClasses
  • org.apache.struts2.rest.handler.AllowedClassNames
  • org.apache.struts2.rest.handler.XStreamPermissionProvider

Workaround

No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only:

<constant name="struts.action.extension" value="xhtml,,json" />

 

 

  • No labels