{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2017-017.pdf"
    },
    "title": "Remote Code Execution Attack Against Apache Struts REST Plugin",
    "serial_number": "2017-017",
    "publish_date": "07-09-2017 14:47:00",
    "description": "On August 16th 2017, a new vulnerability affecting Apache Struts 2 (CVE-2017-9805) was published. This vulnerability allows remote code execution attacks, when the Struts REST plugin is used with XStreamHandler to handle XML payloads. It is important to note that the code that exploits the vulnerability has been released through Metasploit.",
    "url_title": "2017-017",
    "content_markdown": "---\ntitle: 'Remote Code Execution Attack Against\u00a0Apache Struts REST Plugin'\nversion: '1.0'\nnumber: '2017-017'\nfontsize: '11pt'\n---\n\n_History:_\n\n* _07/09/2017 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nOn August 16th 2017, a new vulnerability affecting Apache Struts 2 (CVE-2017-9805) was published. Struts is a framework following the MVC model under Java working in Apache servers. This open-source framework is widely used to built web applications [1].\n\nThis vulnerability allows remote code execution attacks, when the Struts REST plugin is used with `XStreamHandler` to handle XML payloads. The problems is due to the lack of filters in the `XStreamHandler` when deserializing XML payloads.\n\nIt is important to note that the code that exploits the vulnerability has been released through Metasploit [2].\n\n# Products Affected\n\n* Struts 2.1.2 - Struts 2.3.33,\n* Struts 2.5 - Struts 2.5.12.\n\n# Recommendations\n\nFix is available through an upgrade to Apache Struts version 2.3.34 or 2.5.13.\n\nIt is important to take in consideration that this upgrade might require changes in the code of the applications supported by the plugin. It is recommended to follow the backward compatibility notes in the original Apache advisory [1].\n\nAs workarounds to consider:\n\n1. Removing the Struts REST plugin, when not used.\n\n2. Limiting the plugin to server normal pages and JSONs only. In order to do that proceed as follows:\n\n\t* Disable handling of XML pages and requests to such pages\n```js\n<constant name=\"struts.action.extension\" value=\"xhtml,,json\" />\n```\n\t* Override `getContentType` in `XStreamHandler`\n```js\n\tpublic class MyXStreamHandler extends XStreamHandler { public String getContentType() {\n \t return \"not-existing-content-type-@;/&%$#@\";\n \t }\n\t}\n```\n\t* Register the handler by overriding the one provided by the framework in your `struts.xml`\n```js\n\t<bean type=\"org.apache.struts2.rest.handler.ContentTypeHandler\" name=\"myXStreamHandmer\" class=\"com.company.MyXStreamHandler\"/>\n\t<constant name=\"struts.rest.handlerOverride.xml\" value=\"myXStreamHandler\"/>\n```\n\n# References\n\n[1] <https://cwiki.apache.org/confluence/display/WW/S2-052>\n\n[2] <https://github.com/rapid7/metasploit-framework/pull/8924>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>07/09/2017 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On August 16th 2017, a new vulnerability affecting Apache Struts 2 (CVE-2017-9805) was published. Struts is a framework following the MVC model under Java working in Apache servers. This open-source framework is widely used to built web applications [1].</p><p>This vulnerability allows remote code execution attacks, when the Struts REST plugin is used with <code>XStreamHandler</code> to handle XML payloads. The problems is due to the lack of filters in the <code>XStreamHandler</code> when deserializing XML payloads.</p><p>It is important to note that the code that exploits the vulnerability has been released through Metasploit [2].</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>Struts 2.1.2 - Struts 2.3.33,</li><li>Struts 2.5 - Struts 2.5.12.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Fix is available through an upgrade to Apache Struts version 2.3.34 or 2.5.13.</p><p>It is important to take in consideration that this upgrade might require changes in the code of the applications supported by the plugin. It is recommended to follow the backward compatibility notes in the original Apache advisory [1].</p><p>As workarounds to consider:</p><ol><li><p>Removing the Struts REST plugin, when not used.</p></li><li><p>Limiting the plugin to server normal pages and JSONs only. In order to do that proceed as follows:</p><ul><li>Disable handling of XML pages and requests to such pages</li></ul></li></ol><div class=\"codehilite\"><pre><span></span><code><span class=\"o\">&lt;</span><span class=\"nx\">constant</span><span class=\"w\"> </span><span class=\"nx\">name</span><span class=\"o\">=</span><span class=\"s2\">&quot;struts.action.extension&quot;</span><span class=\"w\"> </span><span class=\"nx\">value</span><span class=\"o\">=</span><span class=\"s2\">&quot;xhtml,,json&quot;</span><span class=\"w\"> </span><span class=\"o\">/&gt;</span>\n</code></pre></div><pre><code>* Override `getContentType` in `XStreamHandler`\n</code></pre><div class=\"codehilite\"><pre><span></span><code><span class=\"w\">    </span><span class=\"kr\">public</span><span class=\"w\"> </span><span class=\"kd\">class</span><span class=\"w\"> </span><span class=\"nx\">MyXStreamHandler</span><span class=\"w\"> </span><span class=\"k\">extends</span><span class=\"w\"> </span><span class=\"nx\">XStreamHandler</span><span class=\"w\"> </span><span class=\"p\">{</span><span class=\"w\"> </span><span class=\"kr\">public</span><span class=\"w\"> </span><span class=\"nb\">String</span><span class=\"w\"> </span><span class=\"nx\">getContentType</span><span class=\"p\">()</span><span class=\"w\"> </span><span class=\"p\">{</span>\n<span class=\"w\">     </span><span class=\"k\">return</span><span class=\"w\"> </span><span class=\"s2\">&quot;not-existing-content-type-@;/&amp;%$#@&quot;</span><span class=\"p\">;</span>\n<span class=\"w\">     </span><span class=\"p\">}</span>\n<span class=\"w\">    </span><span class=\"p\">}</span>\n</code></pre></div><pre><code>* Register the handler by overriding the one provided by the framework in your `struts.xml`\n</code></pre><div class=\"codehilite\"><pre><span></span><code><span class=\"w\">    </span><span class=\"o\">&lt;</span><span class=\"nx\">bean</span><span class=\"w\"> </span><span class=\"nx\">type</span><span class=\"o\">=</span><span class=\"s2\">&quot;org.apache.struts2.rest.handler.ContentTypeHandler&quot;</span><span class=\"w\"> </span><span class=\"nx\">name</span><span class=\"o\">=</span><span class=\"s2\">&quot;myXStreamHandmer&quot;</span><span class=\"w\"> </span><span class=\"kd\">class</span><span class=\"o\">=</span><span class=\"s2\">&quot;com.company.MyXStreamHandler&quot;</span><span class=\"o\">/&gt;</span>\n<span class=\"w\">    </span><span class=\"o\">&lt;</span><span class=\"nx\">constant</span><span class=\"w\"> </span><span class=\"nx\">name</span><span class=\"o\">=</span><span class=\"s2\">&quot;struts.rest.handlerOverride.xml&quot;</span><span class=\"w\"> </span><span class=\"nx\">value</span><span class=\"o\">=</span><span class=\"s2\">&quot;myXStreamHandler&quot;</span><span class=\"o\">/&gt;</span>\n</code></pre></div><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">https://cwiki.apache.org/confluence/display/WW/S2-052</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/rapid7/metasploit-framework/pull/8924\">https://github.com/rapid7/metasploit-framework/pull/8924</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}