Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests
Maximum security rating
Critical
Recommendation
Upgrade to Struts 2.5.13
Affected Software
Struts 2.5 - Struts 2.5.12
Reporter
Man Yue Mo <mmo at semmle dot com> (lgtm.com / Semmle). More information on the lgtm.com blog: https://lgtm.com/blog
CVE Identifier
CVE-2017-9805
Problem
The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Solution
Upgrade to Apache Struts version 2.5.13.
Backward compatibility
It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:
org.apache.struts2.rest.handler.AllowedClasses
org.apache.struts2.rest.handler.AllowedClassNames
org.apache.struts2.rest.handler.XStreamPermissionProvider
Workaround
No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only:
<constant name="struts.action.extension" value="xhtml,,json" />
'취약점 정보2' 카테고리의 다른 글
| 공유기 취약점 악용 악성코드 유포주의 (0) | 2017.09.07 |
|---|---|
| Apache Software Foundation Releases (0) | 2017.09.06 |
| iptime 업데이트 (0) | 2017.09.05 |
| libgd2 security update (0) | 2017.09.05 |
| 어도비 제품군 업데이트 안내 (0) | 2017.09.01 |
