...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests |
Maximum security rating | Critical |
Recommendation | Upgrade to Struts 2.5.13 or Struts 2.3.34 |
Affected Software | Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 |
Reporter | Man Yue Mo <mmo at semmle dot com> (lgtm.com / Semmle). More information on the lgtm.com blog: https://lgtm.com/blog |
CVE Identifier | CVE-2017-9805 |
...
org.apache.struts2.rest.handler.AllowedClasses
org.apache.struts2.rest.handler.AllowedClassNames
org.apache.struts2.rest.handler.XStreamPermissionProvider
Workaround
No workaround is possible, the The best option is to remove the Struts REST plugin when not used or limit it . Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies). Another options is to limit th plugin to server normal pages and JSONs only:
...