logo
DATABASE RESOURCES PRICING ABOUT US

Apache Struts REST plugin XStream deserialization vulnerability

Description

Added: 09/08/2017 CVE: [CVE-2017-9805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>) BID: [100609](<http://www.securityfocus.com/bid/100609>) ### Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. ### Problem The REST plugin in Apache Struts uses `**XStreamHandler**` with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands. ### Resolution [Upgrade](<http://struts.apache.org/download.cgi>) to Apache Struts 2.3.34 or 2.5.13 or higher. ### References <https://struts.apache.org/docs/s2-052.html> <http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html> ### Limitations Exploit works on Struts 2.5.10 running on Linux. ### Platforms Windows Linux Linux x64


Related