Summary

Who should read this All Struts 2 developers and users which are using the REST plugin Impact of vulnerability A DoS attack is possible when using XStream handler with the Struts REST plugin Maximum security rating Medium Recommendation Upgrade to Struts 2.5.16 Affected Software Struts 2.1.1 - Struts 2.5.14.1 Reporter Yevgeniy Grushka & Alvaro Munoz from HPE CVE Identifier CVE-2018-1327

Problem

A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin

The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload.

Solution

If you are using the REST plugin, upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Use Jackson XML handler instead of the default XStream handler as described here.