[SingCERT] Alert on Apache Struts2 Remote Code Execution Vulnerability (S2-052)

Published on Wednesday, 06 September 2017 13:33

Background

Apache Struts is a popular, free, open-source web application framework for developing Java web applications. Struts is well-known for its extensible "plug-in" architecture.

On 5th September 2017, the Apache Software Foundation announced that a critical security vulnerability (S2-052) was discovered in its Apache Struts project, which allows possible remote code execution (RCE) due to the lack of input validation or sanitization in Struts REST plugin.

Affected Systems

Web application servers using the following Apache Struts versions are affected:

  • Struts 2.1.2 to Struts 2.3.33
  • Struts 2.5 to Struts 2.5.12

Impact

Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering. This can lead to RCE when deserializing XML payloads. Details of the vulnerability is explained in referenced links below.

Recommendations

System administrators are advised to upgrade to Apache Struts version 2.5.13 or 2.3.34
Developers may consider (i) removing the Struts REST plugin when not used or (ii) limiting it to serve normal pages and JSONs only:
<constant name="struts.action.extension" value="xhtml,,json" />

References

https://cwiki.apache.org/confluence/display/WW/S2-052
https://lgtm.com/blog/apache_struts_CVE-2017-9805