Apache Struts REST Plugin XStream XML Request Deserialization RCE (CVE 2017-9805)

Share and earn Cybytes
Facebook Twitter LinkedIn Email

A new critical vulnerability (S2-052) in the Apache Struts framework (CVE 2017-9805) could allow an unauthenticated attacker to run arbitrary commands on a server using the Struts framework with the popular REST communication plugin.

Vulnerability details

A remote code execution vulnerability exists in Apache Struts due to an unsafe deserialization of Java code in the REST plugin. The REST plugin uses XStream to deserialize XML requests without first sanitizing user-supplied input. This allows a remote unauthenticated attacker to execute arbitrary code using a crafted XML payload passed to the REST plugin.

A code sample used by lgtm to identify the flaw is listed here:

/** The ContentTypeHandler Java class in Struts **/
class ContentTypeHandler extends Interface {
  ContentTypeHandler() {
    this.hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler")
/** The method `toObject` */
class ToObjectDeserializer extends Method {
  ToObjectDeserializer() {
    this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and
    this.getSignature = "toObject(java.io.Reader,java.lang.Object)"

Tenable coverage

Tenable has released two plugins to detect vulnerable Apache Struts installs in your environment.

Unauthenticated Remote Check

Plugin 102977 is a remote plugin which will attempt to exploit the vulnerability and send an ICMP echo (ping) request from the remote host back to the scanner host to verify a successful exploit. A successful scan will produce the following results:

Apache Struts Exploit Output

To enable a proper scan test, a few steps must be performed.

  1. First, enable the scanner to “perform thorough tests” under the Assessment -> General Settings.

  1. Second, enable a Web Application Scan (Assessment -> Web Applications. It’s best for the scan to be configured with the appropriate location to start crawling the web application. The crawler setting can be defined in Assessment -> Web Applications -> Start crawling from.

  1. Finally, for highly segmented and compartmentalized networks, it is important for the target to have the ability to ping the scanner’s direct IP. This is especially important in cloud environments where VPCs, subnets, and containerized applications can interfere with the communication the plugin sends from the target to the scanner to verify that the blind remote code execution vulnerability exists.

Authenticated Local Check

In addition to the remote check, a local version check (Plugin ID 102960) is available for both Windows (using SMB credentials) and Unix (using SSH credentials). Note that this plugin only runs in scans where the Accuracy setting is set to Show potential false alarms. Since the plugin relies only on the version number identified for a Struts application, this plugin is unable to identify if a workaround is in place which mitigates the vulnerability. For this reason, the Accuracy setting must be set to Show Potential false alarms.

Windows Example:

Apache Struts Windows output

Unix Example:

Apache Struts Unix output

What customers should do

Customers who are affected by this vulnerability should upgrade to Apache Struts version 2.3.34 or 2.5.13 or later.  A workaround is available at https://cwiki.apache.org/confluence/display/WW/S2-052.

If you suspect your system is vulnerable, but it is not reporting something similar, check the scan’s Audit Trail for plugins 102977 and 102960. Nessus may have difficulty crawling some web applications or could have trouble finding the application on the file system for the authenticated check. Make sure you follow the instructions listed above.

Due to the nature of this vulnerability, it is critical that vulnerable hosts be patched as quickly as possible. By leveraging the remote check available from Nessus, it is possible to scan all of your web applications to identify any application that is using an outdated and vulnerable version of Struts.

Thanks to Andrew Orr and Thomas Cappetta for their contributions to this blog post.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?