Apache Struts Remote Code Execution Vulnerability (CVE-2017-9805)

September 6, 2017

Summary

A critical vulnerability has been discovered in the Apache Struts web application framework for Java web applications. A remote code execution attack is possible when using the Apache Struts REST plugin with XStream handler to deserialise XML requests. [1]

Impact

Attackers can execute arbitrary code remotely by exploiting this vulnerability.

Vulnerable

  • Apache Struts 2.0.1 - 2.3.33
  • Apache Struts 2.5 - 2.5.12
  • All versions of Apache Struts released since 2008

Recommendations

  • Upgrade to Apache Struts 2.5.13 immediately. [1]
  • No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only. Please see Apache Struts Security Advisory S2-052 for details. [1]

  • Many popular vendor products utilize Java and the Struts web application framework. If you manage a Java web application, check with your vendor or developer to determine if the application is using Struts and if it is vulnerable. Install any vendor application patches that address CVE-2017-9805 immediately.

References