VID |
27108 |
Severity |
40 |
Port |
139,445 |
Protocol |
TCP |
Class |
SMB |
Detailed Description |
The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of this condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
* Platforms Affected: Apache Struts 2.3.x prior to 2.3.34 Any operating system Any version |
Recommendation |
Upgrade to the latest version of Apache Struts (2.3.34 or later), available from the Apache Struts Web page at https://struts.apache.org/download.cgi |
Related URL |
CVE-2017-9805 (CVE) |
Related URL |
(SecurityFocus) |
Related URL |
(ISS) |
|