logo
DATABASE RESOURCES PRICING ABOUT US

Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data

Description

### Overview Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application. ### Description [**CWE-502**](<https://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data** \- CVE-2017-9805 In Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses `XStreamHandler` with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application. Refer to the researcher's [blog post](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>) for more information about this vulnerability. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/8924/files>) with exploit code is publicly available. --- ### Impact A remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application. --- ### Solution **Apply an update** The vendor has released version 2.5.13 to address this vulnerability. No workaround is possible [according to the vendor](<https://struts.apache.org/docs/s2-052.html>), so patching is strongly recommended. --- **Remove or limit the REST plugin** If it is not used, consider removing the REST plugin. Per the vendor, it is also possible to limit its functionality to normal server pages or JSON with the following configuration change in `struts.xml`: `<constant name="struts.action.extension" value="xhtml,,json" />` --- ### Vendor Information 112992 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Apache Struts Affected Updated: September 06, 2017 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Vendor References * <https://struts.apache.org/docs/s2-052.html> ### CVSS Metrics Group | Score | Vector ---|---|--- Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal | 8.3 | E:F/RL:OF/RC:C Environmental | 8.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND ### References * <https://cwe.mitre.org/data/definitions/502.html> * <https://struts.apache.org/docs/s2-052.html> * <https://lgtm.com/blog/apache_struts_CVE-2017-9805> * <https://github.com/rapid7/metasploit-framework/pull/8924/files> ### Acknowledgements Man Yue Mo of lgtm is credited with reporting this vulnerability to the vendor. This document was written by Joel Land. ### Other Information **CVE IDs:** | [CVE-2017-9805](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-9805>) ---|--- **Date Public:** | 2017-09-05 **Date First Published:** | 2017-09-06 **Date Last Updated: ** | 2017-09-06 13:16 UTC **Document Revision: ** | 14


Related