CVE-2017-9805: Apache Struts Deserialization of Untrusted Data Vulnerability
First published: Tue Sep 05 2017(Updated: )
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/struts | <2.5.13 | 2.5.13 |
| maven/org.apache.struts:struts2-rest-plugin | >=2.1.1<2.3.34 | 2.3.34 |
| maven/org.apache.struts:struts2-rest-plugin | >=2.5.0<2.5.13 | 2.5.13 |
| Apache Struts 2 | ||
| Apache Struts 2 | >=2.1.2<2.3.34 | |
| Apache Struts 2 | >=2.5.0<2.5.13 | |
| Cisco Digital Media Manager | ||
| Cisco Hosted Collaboration Solution | =10.5\(1\) | |
| Cisco Hosted Collaboration Solution | =11.0\(1\) | |
| Cisco Hosted Collaboration Solution | =11.5\(1\) | |
| Cisco Hosted Collaboration Solution | =11.6\(1\) | |
| Cisco Media Experience Engine | =3.5 | |
| Cisco Media Experience Engine | =3.5.2 | |
| Cisco Network Performance Analysis | ||
| Cisco Videoscape Distribution Suite for Internet Streaming | ||
| NetApp OnCommand Balance | ||
| Apache Struts 2 | =2.1.2 | |
| Apache Struts 2 | =2.1.3 | |
| Apache Struts 2 | =2.1.4 | |
| Apache Struts 2 | =2.1.5 | |
| Apache Struts 2 | =2.1.6 | |
| Apache Struts 2 | =2.1.8 | |
| Apache Struts 2 | =2.1.8.1 | |
| Apache Struts 2 | =2.2.1 | |
| Apache Struts 2 | =2.2.1.1 | |
| Apache Struts 2 | =2.2.3 | |
| Apache Struts 2 | =2.2.3.1 | |
| Apache Struts 2 | =2.3.1 | |
| Apache Struts 2 | =2.3.1.1 | |
| Apache Struts 2 | =2.3.1.2 | |
| Apache Struts 2 | =2.3.3 | |
| Apache Struts 2 | =2.3.4 | |
| Apache Struts 2 | =2.3.4.1 | |
| Apache Struts 2 | =2.3.7 | |
| Apache Struts 2 | =2.3.8 | |
| Apache Struts 2 | =2.3.12 | |
| Apache Struts 2 | =2.3.14 | |
| Apache Struts 2 | =2.3.14.1 | |
| Apache Struts 2 | =2.3.14.2 | |
| Apache Struts 2 | =2.3.14.3 | |
| Apache Struts 2 | =2.3.15 | |
| Apache Struts 2 | =2.3.15.1 | |
| Apache Struts 2 | =2.3.15.2 | |
| Apache Struts 2 | =2.3.15.3 | |
| Apache Struts 2 | =2.3.16 | |
| Apache Struts 2 | =2.3.16.1 | |
| Apache Struts 2 | =2.3.16.2 | |
| Apache Struts 2 | =2.3.16.3 | |
| Apache Struts 2 | =2.3.20 | |
| Apache Struts 2 | =2.3.20.1 | |
| Apache Struts 2 | =2.3.20.3 | |
| Apache Struts 2 | =2.3.24 | |
| Apache Struts 2 | =2.3.24.1 | |
| Apache Struts 2 | =2.3.24.3 | |
| Apache Struts 2 | =2.3.28 | |
| Apache Struts 2 | =2.3.28.1 | |
| Apache Struts 2 | =2.3.29 | |
| Apache Struts 2 | =2.3.30 | |
| Apache Struts 2 | =2.3.31 | |
| Apache Struts 2 | =2.3.32 | |
| Apache Struts 2 | =2.3.33 | |
| Apache Struts 2 | =2.5.1 | |
| Apache Struts 2 | =2.5.2 | |
| Apache Struts 2 | =2.5.3 | |
| Apache Struts 2 | =2.5.4 | |
| Apache Struts 2 | =2.5.5 | |
| Apache Struts 2 | =2.5.6 | |
| Apache Struts 2 | =2.5.7 | |
| Apache Struts 2 | =2.5.8 | |
| Apache Struts 2 | =2.5.9 | |
| Apache Struts 2 | =2.5.10 | |
| Apache Struts 2 | =2.5.10.1 | |
| Apache Struts 2 | =2.5.11 | |
| Apache Struts 2 | =2.5.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- http://www.securityfocus.com/bid/100609
- http://www.securitytracker.com/id/1039263
- https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
- https://bugzilla.redhat.com/show_bug.cgi?id=1488482
- https://cwiki.apache.org/confluence/display/WW/S2-052
- https://lgtm.com/blog/apache_struts_CVE-2017-9805
- https://security.netapp.com/advisory/ntap-20170907-0001/
- https://struts.apache.org/docs/s2-052.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
- https://www.exploit-db.com/exploits/42627/
- https://www.kb.cert.org/vuls/id/112992
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1488487
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1488488
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
- https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26
- https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a
- https://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609
- https://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263
- https://github.com/advisories/GHSA-gg9m-fj3v-r58c (Advisory)
- https://security.netapp.com/advisory/ntap-20170907-0001
- https://www.exploit-db.com/exploits/42627
Frequently Asked Questions
What is the severity of CVE-2017-9805?
CVE-2017-9805 is considered a critical vulnerability due to its potential to allow remote code execution.
How do I fix CVE-2017-9805?
To fix CVE-2017-9805, upgrade the Apache Struts REST Plugin to version 2.3.34 or later for versions 2.1.2 to 2.3.x, or 2.5.13 for versions 2.5.x.
What are the affected versions for CVE-2017-9805?
CVE-2017-9805 affects Apache Struts versions 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13.
What kind of attacks can exploit CVE-2017-9805?
CVE-2017-9805 can be exploited through specially crafted XML payloads leading to remote code execution.
Are there any specific environments where CVE-2017-9805 is more vulnerable?
CVE-2017-9805 is particularly a concern in environments that make extensive use of the Apache Struts REST Plugin without proper type filtering during XML deserialization.
- agent/type
- agent/first-publish-date
- agent/title
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-9805
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/author
- agent/references
- agent/trending
- agent/source
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gg9m-fj3v-r58c
- agent/last-modified-date
- agent/event
- agent/tags
- collector/github-advisory
- agent/softwarecombine
- agent/description
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/nvd-index
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache struts 2
- version/apache struts 2/2.1.2
- version/apache struts 2/2.5.0
- vendor/cisco
- canonical/cisco digital media manager
- canonical/cisco hosted collaboration solution
- version/cisco hosted collaboration solution/10.5\(1\)
- version/cisco hosted collaboration solution/11.0\(1\)
- version/cisco hosted collaboration solution/11.5\(1\)
- version/cisco hosted collaboration solution/11.6\(1\)
- canonical/cisco media experience engine
- version/cisco media experience engine/3.5
- version/cisco media experience engine/3.5.2
- canonical/cisco network performance analysis
- canonical/cisco videoscape distribution suite for internet streaming
- vendor/netapp
- canonical/netapp oncommand balance
- version/apache struts 2/2.1.3
- version/apache struts 2/2.1.4
- version/apache struts 2/2.1.5
- version/apache struts 2/2.1.6
- version/apache struts 2/2.1.8
- version/apache struts 2/2.1.8.1
- version/apache struts 2/2.2.1
- version/apache struts 2/2.2.1.1
- version/apache struts 2/2.2.3
- version/apache struts 2/2.2.3.1
- version/apache struts 2/2.3.1
- version/apache struts 2/2.3.1.1
- version/apache struts 2/2.3.1.2
- version/apache struts 2/2.3.3
- version/apache struts 2/2.3.4
- version/apache struts 2/2.3.4.1
- version/apache struts 2/2.3.7
- version/apache struts 2/2.3.8
- version/apache struts 2/2.3.12
- version/apache struts 2/2.3.14
- version/apache struts 2/2.3.14.1
- version/apache struts 2/2.3.14.2
- version/apache struts 2/2.3.14.3
- version/apache struts 2/2.3.15
- version/apache struts 2/2.3.15.1
- version/apache struts 2/2.3.15.2
- version/apache struts 2/2.3.15.3
- version/apache struts 2/2.3.16
- version/apache struts 2/2.3.16.1
- version/apache struts 2/2.3.16.2
- version/apache struts 2/2.3.16.3
- version/apache struts 2/2.3.20
- version/apache struts 2/2.3.20.1
- version/apache struts 2/2.3.20.3
- version/apache struts 2/2.3.24
- version/apache struts 2/2.3.24.1
- version/apache struts 2/2.3.24.3
- version/apache struts 2/2.3.28
- version/apache struts 2/2.3.28.1
- version/apache struts 2/2.3.29
- version/apache struts 2/2.3.30
- version/apache struts 2/2.3.31
- version/apache struts 2/2.3.32
- version/apache struts 2/2.3.33
- version/apache struts 2/2.5.1
- version/apache struts 2/2.5.2
- version/apache struts 2/2.5.3
- version/apache struts 2/2.5.4
- version/apache struts 2/2.5.5
- version/apache struts 2/2.5.6
- version/apache struts 2/2.5.7
- version/apache struts 2/2.5.8
- version/apache struts 2/2.5.9
- version/apache struts 2/2.5.10
- version/apache struts 2/2.5.10.1
- version/apache struts 2/2.5.11
- version/apache struts 2/2.5.12