Struts 2 critical Remote Code Execution Vulnerability cve-2017-9805

All struts 2 developers and users

Vulnerability impact:

When using struts rest plug-in with xStream handler to process XML payload, remote code execution attack security level may occur

Serious

Suggestion

Upgrade to struts 2.5.13

Affected version

CVE number

  CVE-2017-9805

Problem

Upgrade to Apache struts version 2.5.13

  Backward compatibility

Some rest actions may stop working due to the default restrictions applied to available classes. In this case, investigate the new interfaces introduced to allow class restrictions for each operation to be defined, which are:

  Workaround

The best option is to remove the struts rest plug-in when it is not used, or when it is limited to server normal pages and JSON only

Affected version:

Struts 2.5 - Struts 2.5.12

Circumvention scheme

Upgrade to struts 2.5.13 now.

Note:

The default restriction policy used in the new version will cause some functions of rest to stop working and affect some businesses. The following new interfaces are recommended: