Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0139
Possible Remote Code Execution attack when using the Struts REST plugin
with XStream handler to handle XML payloads
6 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Struts 2
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-9805
Member content until: Friday, October 6 2017
OVERVIEW
The Apache Software Foundation has published information regarding
Struts 2 which contains a Remote Code Execution vulnerability
affecting many products that use Struts REST plugin [1]. Apache have
published information regarding the Struts Update [2].
IMPACT
The Apache Software Foundation has provided the following
description of the impact for the vulnerability.
"The REST Plugin is using a XStreamHandler with an instance of XStream
for deserialization without any type filtering and this can lead to
Remote Code Execution when deserializing XML payloads." [1]
MITIGATION
The Apache Software Foundation recommends the following remedial
actions to be taken.
"Upgrade to Apache Struts version 2.5.13." [1]
REFERENCES
[1] 05 September 2017 - Struts 2.5.13 General Availability
https://struts.apache.org/docs/s2-052.html
[2] Struts
https://struts.apache.org/announce.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWa9iBIx+lLeg9Ub1AQi3hRAAkX9gcawW5IU1uG9PK72oZ3PNL5DJvWnF
ff4NK3hB0HpMX3kx3J01qi3x5grmz+5nObcSOfeJvQejNJ5tDd2zEQS/z8cTlrWh
fgj3hxmYhalMO20WVS74Zx1InIJdq+gxYrURlQKfVJIK9JwlUIfcn/wf2VM9N0du
yu/SVs7RKj7OxosMxHXE0BNsdOGJEux9ydm+aCyKzIwujAGSamk9JtfJ+1I44yN4
/swOndGpCbsgw5vI21fNdD1MkqGUfJRBp5q+CzX6OFX4XD7jK/sNwVQ1tvpeSkwB
ajqUm6aaN2kMbgr9RYrSfChXmfbIp/Lm18pITLIFZXiZMuw1HvlQnyUlKDUBSESN
/bE8o5oFN1xqysOaWOPzM1wL0RfzpSPjq69giIVmcaqlR0qGAqQx987x96AZj17Q
w+YIDgHMydU+8gwLk4Jt40nE+FXduWy0Jvd9qgodQa3TKd65ige7Td6cMld0KfcY
QgQb1G8+JX0IZnoNg/ysRaBzmBoVPv4ldtI0hcjonkELPzG4nfhJhF7INsWjVCrG
dFTiXUnIQ/eRyM1kfGMM9jl6MgF2Dl6xQUGdFsWgb5+CNzim6f04mmgev8ouRhpw
S3E1pC7pDgDnA+4N9OT4FWUDZa9wSDYVC5h5rl4srHEJU769tjjYPoAsX3DAAF68
VNuYlLk1qlI=
=U0nh
-----END PGP SIGNATURE-----