Korean
<< Back
VID 27108
Severity 40
Port 139,445
Protocol TCP
Class SMB
Detailed Description The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of this condition will result in the check not being performed and a False Negative for all vulnerable hosts.

* References:
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

* Platforms Affected:
Apache Struts 2.3.x prior to 2.3.34
Any operating system Any version
Recommendation Upgrade to the latest version of Apache Struts (2.3.34 or later), available from the Apache Struts Web page at
https://struts.apache.org/download.cgi
Related URL CVE-2017-9805 (CVE)
Related URL (SecurityFocus)
Related URL (ISS)