Apache Struts 2 REST Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Apache Struts 2 REST Plugin, affecting versions 2.1.1 through 2.3.x prior to 2.3.34 and 2.5.x prior to 2.5.13. The vulnerability arises because the REST Plugin uses an XStreamHandler to deserialize XML payloads without any type filtering. This lack of validation can be exploited by an attacker to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected server, with the executed code running in the context of the Struts application.

Reproduction

To reproduce this vulnerability, send a crafted XML payload to a server running an affected version of Apache Struts 2 with the REST Plugin enabled. The payload must be designed to exploit the deserialization process handled by XStream, leading to the execution of arbitrary code on the server.

Remediation

Upgrade to Apache Struts versions 2.5.13 or 2.3.34. If the REST Plugin is not needed, consider removing it. If it must be retained, limit its functionality to serve only standard pages and JSON by adjusting the 'struts.action.extension' constant in the 'struts.xml' configuration file.