Added: 09/08/2017
CVE: CVE-2017-9805
BID: 100609
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
The REST plugin in Apache Struts uses **XStreamHandler**
with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands.
Upgrade to Apache Struts 2.3.34 or 2.5.13 or higher.
<https://struts.apache.org/docs/s2-052.html>
<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html>
Exploit works on Struts 2.5.10 running on Linux.
Windows
Linux
Linux x64