RULE(RULE ID:320437)

Rule General Information
Release Date: 2018-11-05
Rule Name: Apache Struts 2 REST plugin Remote Code Execution Vulnerability -1 (CVE-2017-9805)
Severity:
CVE ID:
Rule Protection Details
Description: The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.An attacker could use this flaw to execute arbitrary code or conduct further attacks.
Impact: A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests.
Affected OS: Windows, Solaris, FreeBSD, Other Unix, Linux
Reference: http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
SecurityFocusBID:100609
SecurityTrackerID:1039263
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
https://bugzilla.redhat.com/show_bug.cgi?id=1488482
https://cwiki.apache.org/confluence/display/WW/S2-052
https://lgtm.com/blog/apache_struts_CVE-2017-9805
https://security.netapp.com/advisory/ntap-20170907-0001/
https://struts.apache.org/docs/s2-052.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
ExploitDB:42627
https://www.kb.cert.org/vuls/id/112992
Solutions
Update to struts 2.5.13 version.