The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

The REST Plugin in Apache Struts 2.1.6 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

The version of Oracle WebLogic Server installed on the remote host is affected by multiple Apache Struts 2 vulnerabilities.  One of the following vulnerabilities was detected on the asset:

  - CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2,   specifically 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  - CVE-2017-7672: Apache Struts version < 2.5.12
  - CVE-2017-9787: Apache Struts version < 2.5.12 or < 2.3.33
  - CVE-2017-9791: Struts 1 plugin in Apache Struts 2.3.x
  - CVE-2017-9793: Apache Struts < 2.3.7 - 2.3.33 & < 2.5 - 2.5.12
  - CVE-2017-9804: Apache Struts 2.3.7 -2.3.33 & 2.5 - 2.5.12
  - CVE-2017-12611: Apache Struts 2.0.1 - 2.3.33 & 2.5 - 2.5.10

The remote web application appears to use the Apache Struts 2 web framework. A remote code execution vulnerability exists in the REST plugin, which uses XStreamHandler to insecurely deserialize user-supplied input in XML requests. An unauthenticated, remote attacker can exploit this, via a specially crafted XML request, to execute arbitrary code.

Note that this plugin only reports the first vulnerable instance of a Struts 2 application.

The version of Apache Struts running on the remote host is 2.1.x subsequent or equal to 2.1.2, 2.2.x, 2.3.x prior to 2.3.34, or 2.5.x prior to 2.5.13. It is, therefore, affected by multiple vulnerabilities:

  - A remote code execution vulnerability in the REST plugin. The     Struts REST plugin uses an XStreamHandler with an instance of     XStream for deserialization and does not perform any type     filtering when deserializing XML payloads. This can allow an     unauthenticated, remote attacker to execute arbitrary code in the     context of the Struts REST plugin by sending a specially crafted     XML payload. (CVE-2017-9805)

  - A denial of service vulnerability in the XStream XML deserializer     in the XStreamHandler used by the REST plugin. (CVE-2017-9793)

  - A denial of service vulnerability when using URLValidator.
    (CVE-2017-9804)

  - A flaw exists related to 'freemarker' tags, expression literals,     'views/freemarker/FreemarkerManager.java', and forced     expressions that allows arbitrary code execution.
    (CVE-2017-12611)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
112763	Apache Struts 2.1.6 < 2.3.34 / 2.5 < 2.5.13 Remote Code Execution (S2-052)	Web App Scanning	Component Vulnerability	high
103663	Oracle WebLogic Server Multiple Vulnerabilities	Nessus	Misc.	critical
102977	Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE	Nessus	CGI abuses	high
102960	Apache Struts 2.1.x >= 2.1.2 / 2.2.x / 2.3.x < 2.3.34 / 2.5.x < 2.5.13 Multiple Vulnerabilities (S2-050 - S2-053)	Nessus	Misc.	critical

Detections

Analytics

CVE-2017-9805

high

Tenable Plugins

high

critical

high

critical