Versions Compared

Old Version 2

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user René Gielen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads


Who should read this

All Struts 2 developers and users

Impact of vulnerability

A RCE attack is possible

because of a vulnerability in the XStream library

when using the Struts REST plugin with XStream handler to deserialise XML requests

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.5.13 or Struts 2.3.34

Affected Software

Struts 2.

3

1.

7

6 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Reporter

Man Yue Mo

 <mmo

<mmo at semmle dot com> (lgtm.com / Semmle). More information on the lgtm.com blog: https://lgtm.com/blog

CVE Identifier

CVE-2017-

9793

9805

Problem

The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can leads lead to Remote Code Execution when deserializing XML payloads.

...

  • org.apache.struts2.rest.handler.AllowedClasses
  • org.apache.struts2.rest.handler.AllowedClassNames
  • org.apache.struts2.rest.handler.XStreamPermissionProvider

Workaround

No workaround is possible, the The best option is to remove the Struts REST plugin when not used or limit it . Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies).  Another options is to limit th plugin to server normal pages and JSONs only:

  1. Disable handling XML pages and requests to such pages

    Code Block
    xml
    xml
    <constant name="struts.action.extension" value="xhtml,,json" />

...

 

...


  2. Override getContentType in XStreamHandler
     Code Block
    languagejava
    public class MyXStreamHandler extends XStreamHandler { public String getContentType() {
 return "not-existing-content-type-@;/&%$#@";
 }
}

  3. Register the handler by overriding the one provided by the framework in your struts.xml
     Code Block
    xml
    xml
    <bean type="org.apache.struts2.rest.handler.ContentTypeHandler" name="myXStreamHandmer" class="com.company.MyXStreamHandler"/>
<constant name="struts.rest.handlerOverride.xml" value="myXStreamHandler"/>