Out of Band Code Evaluation (Apache Struts 2)

Severity: Critical

Summary#

Invicti identified a Remote Code Evaluation (Apache Struts 2) by capturing a DNS A request, which occurs when input data is run as code.

Impact#

An attacker can send a specially crafted XML request to the application. The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Evaluation when deserializing the XML payloads.

Remediation#

Upgrade to Apache Struts version 2.5.13 or 2.3.34.

Required Skills for Successful Exploitation#

This vulnerability is not difficult to leverage, Apache Struts 2 is a high level language for which there are vast resources available. Successful exploitation requires knowledge of the programming language, access to or the ability to produce source code for use in such attacks and minimal attack skills.

Classifications#

OWASP 2017-A1, CWE-94, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O, ISO27001-A.14.2.5, HIPAA-164.306(a), 164.308(a), PCI v3.2-6.5.1, OWASP 2013-A1

Invicti Security Insights

Why Framework Choice Matters in Web Application Security

Select Category

Search Vulnerability

Out of Band Code Evaluation (Apache Struts 2)

Related Articles

Build your resistance to threats. And save hundreds of hours each month.