Apache Struts 2 is a framework for creating enterprise Java web applications. The framework is designed to reduce overhead for building, deploying and maintaining applications. A remote code execution vulnerability has been discovered by lgtm.
The Apache Struts group has addressed this vulnerability in S2-052. The vulnerability has been assigned CVE-2017-9805. As per the official advisory the issue occurs when REST plugins use XStream for deserialization of XML payloads without type filtering, this could lead to RCE. The affected versions are Struts 2.1.2 – Struts 2.3.33, Struts 2.5 – Struts 2.5.12. The official fix has been released in version Struts 2.5.13 or Struts 2.3.34. The Apache Struts group has assigned a critical rating for this vulnerability.
Vulnerability:
Serialization is a technique for converting objects into a standard format for transmission or storage. Deserialization is the process of converting serialized objects back to their usable form. An attacker can create an object such that the code for deserialization misinterprets or does not perform the necessary checks on the serialized input and reconstructs the object incorrectly causing the receiver to behave to abnormally. In this case the issue occurs when the target uses XStream framework to deserialize an XML object with out type filtering.
Mitigation:
As mentioned in the Struts advisory please upgrade to version 2.5.13 or 2.3.34. Please note that there is no official workaround for this issue, apart from removing the Struts REST plugin if it is not in use or limiting usage to JSON format. Please use QID 370544 to detect vulnerable installation in your network.
QID 370544 is a Tomcat authenticated detection that looks for “struts core” jar files in web applications directories and lib folder of Tomcat server. This detection does NOT support applications that are deployed where unpackWARs = false in server.xml configuration file.
Updates:
- QID 370544 now includes remote detection.
- Many variations of the exploit are available.
- A Metasploit module targeting Unix,Windows and Linux installations, is in development.
- Python script targeting Linux.
- Exploiting using Burp .
- Apache Struts have updated the affected versions to include 2.3.33
- Struts 2.3.34 and 2.5.13 addresses this vulnerability.
Please continue to follow us on ThreatProtect for more information about this vulnerability.
References:
Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805)
Apache Struts : S2-052
OWASP : Deserialization Cheat Sheet
Red Hat Bugzilla : CVE-2017-9805