⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2017-9805

CWE-502 — Deserialization of Untrusted Data CWE-20 — Improper Input Validation CWE-39930 documents15 sources

Severity

8.1HIGH

EPSS

94.3%

top 0.05%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Struts Apache Software Foundation Apache Struts Cisco Hosted Collaboration Solution +1 more

Timeline

PublishedSep 15

KEV addedNov 3

KEV dueMay 3

CISA Required Action: Apply updates per vendor instructions.

Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶Mavenorg.apache.struts:struts2-rest-plugin2.1.1 — 2.3.34+1

▶NVDapache/struts2.1.2 — 2.3.34+1

▶CVEListV5apache_software_foundation/apache_strutsApache Struts before 2.3.34 and 2.5.x before 2.5.13

▶NVDcisco/media_experience_engine3.5, 3.5.2+1

▶NVDcisco/hosted_collaboration_solution4 versions+3

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering↗2018-10-16

▶

GHSA

REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering↗2018-10-16

▶

CVEList

CVE-2017-9805: The REST Plugin in Apache Struts 2↗2017-09-15

▶

VulnCheck

Apache Struts Deserialization of Untrusted Data Vulnerability↗2017

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution↗2017-09-06

▶

Nuclei

Apache Struts2 S2-052 - Remote Code Execution

▶

🔍Detection Rules

Suricata

ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)↗2019-06-26

▶

Suricata

ET SCAN struts-pwn User-Agent↗2017-10-16

▶

Suricata

ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)↗2017-09-07

▶

Suricata

ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1↗2017-09-07

▶

Suricata

ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2↗2017-09-07

▶

📋Vendor Advisories

CISA

Apache Struts Deserialization of Untrusted Data Vulnerability↗2021-11-03

▶

Cisco

Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017↗2017-09-07

▶

Red Hat

struts: RCE attack via REST plugin with XStream handler to deserialise XML requests↗2017-09-05

▶

🕵️Threat Intelligence

Talos

Another Apache Struts Vulnerability Under Active Exploitation↗2017-09-07

▶

Talos

Another Apache Struts Vulnerability Under Active Exploitation↗2017-09-07

▶

Tenable

Apache Struts REST Plugin XStream XML Request Deserialization RCE (CVE 2017-9805)↗2017-09-06

▶

💬Community

Bugzilla

CVE-2017-9793 CVE-2017-9805 struts: various flaws [epel-7]↗2017-09-05

▶

Bugzilla

CVE-2017-9793 CVE-2017-9805 struts: various flaws [fedora-all]↗2017-09-05

▶

Bugzilla

CVE-2017-9805 struts: RCE attack via REST plugin with XStream handler to deserialise XML requests↗2017-09-05

▶