Apache Struts is a widely used Java framework that is embedded into many enterprise applications, which means that any vulnerabilities provide a potentially very large attack surface. Today the open-source Struts project announced its 2.5.13 update fixing three vulnerabilities.
The highest impact of the three issues is identified by the Struts project as CVE-2017-9805 and is a possible Remote Code Execution (RCE) attack vulnerability.
“The REST Plugin is using a?XStreamHandler?with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution?when deserializing XML payloads,” the Struts project advisory warns.
The CVE-2017-9805 was discovered by security researcher Man Yue Mo from lgtm.com and impacts all versions of Struts from 2008 onward. Mo reported the issue to the Struts project on July 17.
According to lgtm, it has a working exploit for the vulnerability though it is not going to release it publicly. The company added that to date it is not aware of any public working exploit for the CVE-2017-9805 vulnerability.
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Mo wrote in a blog post. “On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
Additionally the Struts 2.5.13 update patches a vulnerability in the REST plugin identified as CVE-2017-9793 that could have potentially enabled a Denial of Service (DoS) attack.
“The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload,” the Struts project warned in its advisory.
The third vulnerability patched in the Struts 2.5.13 update is for a flaw in the URLValidator component identified as CVE-2017-9804 that could have potentially enabled a Denial of Service attack.
The new vulnerabilities in Struts come just a few months after another major Remote Code Execution vulnerability was patched identified as CVE-2017-5636. The same day that flaw was patched multiple security vendors reported that the vulnerability was being actively attacked.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.