Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0139 Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads 6 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Struts 2 Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-9805 Member content until: Friday, October 6 2017 OVERVIEW The Apache Software Foundation has published information regarding Struts 2 which contains a Remote Code Execution vulnerability affecting many products that use Struts REST plugin [1]. Apache have published information regarding the Struts Update [2]. IMPACT The Apache Software Foundation has provided the following description of the impact for the vulnerability. "The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads." [1] MITIGATION The Apache Software Foundation recommends the following remedial actions to be taken. "Upgrade to Apache Struts version 2.5.13." [1] REFERENCES [1] 05 September 2017 - Struts 2.5.13 General Availability https://struts.apache.org/docs/s2-052.html [2] Struts https://struts.apache.org/announce.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWa9iBIx+lLeg9Ub1AQi3hRAAkX9gcawW5IU1uG9PK72oZ3PNL5DJvWnF ff4NK3hB0HpMX3kx3J01qi3x5grmz+5nObcSOfeJvQejNJ5tDd2zEQS/z8cTlrWh fgj3hxmYhalMO20WVS74Zx1InIJdq+gxYrURlQKfVJIK9JwlUIfcn/wf2VM9N0du yu/SVs7RKj7OxosMxHXE0BNsdOGJEux9ydm+aCyKzIwujAGSamk9JtfJ+1I44yN4 /swOndGpCbsgw5vI21fNdD1MkqGUfJRBp5q+CzX6OFX4XD7jK/sNwVQ1tvpeSkwB ajqUm6aaN2kMbgr9RYrSfChXmfbIp/Lm18pITLIFZXiZMuw1HvlQnyUlKDUBSESN /bE8o5oFN1xqysOaWOPzM1wL0RfzpSPjq69giIVmcaqlR0qGAqQx987x96AZj17Q w+YIDgHMydU+8gwLk4Jt40nE+FXduWy0Jvd9qgodQa3TKd65ige7Td6cMld0KfcY QgQb1G8+JX0IZnoNg/ysRaBzmBoVPv4ldtI0hcjonkELPzG4nfhJhF7INsWjVCrG dFTiXUnIQ/eRyM1kfGMM9jl6MgF2Dl6xQUGdFsWgb5+CNzim6f04mmgev8ouRhpw S3E1pC7pDgDnA+4N9OT4FWUDZa9wSDYVC5h5rl4srHEJU769tjjYPoAsX3DAAF68 VNuYlLk1qlI= =U0nh -----END PGP SIGNATURE-----