...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | A RCE attack is possible because of a vulnerability in the XStream library |
Maximum security rating | Critical |
Recommendation | Upgrade to Struts 2.5.13 or Struts 2.3.34 |
Affected Software | Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 |
Reporter | Man Yue Mo <mmo at semmle dot com> |
CVE Identifier | CVE-2017-9793 |
...
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
Backward compatibility
It is possible that some REST actions stop working because of applied default restrictions on available classes. In such case please investigate the new interfaces that was introduced to allow define class restrictions per action, those interfaces are:
...