Apache Struts2–052 vulnerability research alert-vulnerability warning-the black bar safety net

ID MYHACK58:62201789104
Type myhack58
Reporter 佚名
Modified 2017-09-06T00:00:00


The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type of filtering and this can lead to Remote Code Execution when deserializing XML payloads. - The Apache Struts civil peace Bulletin(reference 1) 2017 9 5 March, the Apache Struts announcement of the latest ping notification Bulletin, the Apache Struts2 REST plug-in there a long code to fulfill the high-risk flaws, the flaws by lgtm. com peace fellow report instructions, the flaws numbered CVE-2017-9805(S2-052 to. Struts2 REST plugin XStream components deserialization flaws, the application of the XStream component of the XML pattern of the data packet to stop the reverse sequence of manipulation, not the data content to stop useful to verify, the presence of safe risks, can be long-distance onslaught with. Struts2-enabled rest-plugin after and to prepare and set up XStreamHandler, the ability to incur long-distance order to fulfil this major achievement. 0x01 flaws affect the Affect Sure CVE-2017-9805 is a high-risk flaws. The reality of the scene, there must be limitations, need satisfaction must be the premise that non-struts their acquiescence to the opening of the Assembly. Impact version Version 2.5.0 to 2.5.12 Version 2.3.0 to 2.3.33 Fix version The Struts 2.5.13 The Struts 2.3.34 0x02 flaws before Tips details ! 文件/org/apache/struts2/rest/ContentTypeInterceptor.java In the struts2 rest-plugin in the Dispose logic in the interface was the corresponding pattern of the news, will be diverted once the registration of the corresponding handler to the handler. the toobject way to stop it is instantiated, where the incoming xml news, to Is it will jump to once the world said XStreamHandler of the toobject way ! In Britain at the end here fromXML way after incurring an instance of the vicious thoughts of the object to be fulfilled, leading to vicious thoughts of the code to fulfill ! Then see the calculator is the victory pop-up Flaws repair ! The new version adds XStreamPermissionProvider ! And will come there are scores of createXStream stop rewriting, adds check, rebuff uneven security class to fulfill 0x03 flaws in the application of verification ! 0x04 repair initiative 1. Civil initiative set the plugin to dispose of the data sample is limited to json 2. Upgrade Struts to 2. 5. 13 version or 2. 3. 34 version 3. In XStreamHandler stop data parity or reflection