Remote Code Execution Vulnerability in Struts 2(S2-052)

Summary

    Apache Struts 2 is one of the most popular MVC-based JAVA Web server frameworks in the world. In effect, it is equivalent to Servlet and functions as a controller to establish data interaction between model and views.

    Apache released a security bulletin(S2-052) addressing a security vulnerability(CVE-2017-9805) in Struts 2. The bulletin says that a remote code execution(RCE) attack is possible when using the Struts REST plugin with XStream handler to deserialize XML requests. Attackers can take advantage of this vulnerability to perform such operations as adding or deleting user accounts, viewing, modifying or deleting files, inserting backdoor, etc. 

Solution

    1 Upgrade the affected versions to Struts 2.5.13, as the vulnerability has been fixed in the latest version of Struts 2.

    2 Disable Struts REST plugin (do not enable this plugin unless necessary), add the following code into the config file to restrict file extension at the server side:

image.png

    3 If Sangfor NGAF appliance has been deployed in your network, update vulnerability database to the version 20170906 or later version to defend against this vulnerability.