THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests |
Maximum security rating | Critical |
Recommendation | Upgrade to Struts 2.5.13 or Struts 2.3.34 |
Affected Software | Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 |
Reporter | Man Yue Mo <mmo at semmle dot com> (lgtm.com / Semmle). More information on the lgtm.com blog: https://lgtm.com/blog |
CVE Identifier | CVE-2017-9805 |
...
org.apache.struts2.rest.handler.AllowedClassesorg.apache.struts2.rest.handler.AllowedClassNamesorg.apache.struts2.rest.handler.XStreamPermissionProvider
Workaround
No workaround is possible, the The best option is to remove the Struts REST plugin when not used or limit it . Alternatively you can only upgrade the plugin by dropping in all the required JARs (plugin plus all dependencies). Another options is to limit th plugin to server normal pages and JSONs only:
...