Apache Struts REST plugin XStream deserialization vulnerability

Added: 09/08/2017
CVE: CVE-2017-9805
BID: 100609

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Problem

The REST plugin in Apache Struts uses XStreamHandler with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands.

Resolution

Upgrade to Apache Struts 2.3.34 or 2.5.13 or higher.

References

https://struts.apache.org/docs/s2-052.html
http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html

Limitations

Exploit works on Struts 2.5.10 running on Linux.

Platforms

Windows
Linux
Linux x64

Back to exploit index