Published on Wednesday, 06 September 2017 13:33
Apache Struts is a popular, free, open-source web application framework for developing Java web applications. Struts is well-known for its extensible "plug-in" architecture.
On 5th September 2017, the Apache Software Foundation announced that a critical security vulnerability (S2-052) was discovered in its Apache Struts project, which allows possible remote code execution (RCE) due to the lack of input validation or sanitization in Struts REST plugin.
Web application servers using the following Apache Struts versions are affected:
- Struts 2.1.2 to Struts 2.3.33
- Struts 2.5 to Struts 2.5.12
Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering. This can lead to RCE when deserializing XML payloads. Details of the vulnerability is explained in referenced links below.
System administrators are advised to upgrade to Apache Struts version 2.5.13 or 2.3.34
Developers may consider (i) removing the Struts REST plugin when not used or (ii) limiting it to serve normal pages and JSONs only:
<constant name="struts.action.extension" value="xhtml,,json" />