CVE-2017-9805: Apache Struts Remote Code Execution | Cloud Foundry

2017-09-08T00:00:00
ID CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE
Type cloudfoundry
Reporter Cloud Foundry
Modified 2017-09-08T00:00:00

Description

Severity

Advisory/Critical

Vendor

Apache

Versions Affected

  • Apache Struts 2:
    • 2.3.x versions prior to 2.3.34
    • 2.5.x versions prior to 2.5.13

Description

An RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests [1].

Affected Cloud Foundry Products and Versions

  • The Cloud Foundry team has determined that core releases do not package Apache Struts.
  • However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [1].

Mitigation

  • The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any Cloud Foundry-specific upgrades.
  • However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [1].

Credit

Man Yue Mo

References

[1] https://struts.apache.org/docs/s2-052.html

[2] <https://struts.apache.org/announce.html#a20170907>

[3] <https://struts.apache.org/announce.html#a20170905>