Security experts Yevgeniy Grushka and Alvaro Munoz from HPE discovered a DoS vulnerability in the Apache Strust2 REST plug-in. The Strust REST plug-in uses the XStream library, which is vulnerable to DoS attacks launched through malicious XML requests.
Apache Struts2 REST plug-in DoS vulnerability (S2-056)
The S2-056 vulnerability exists in the Apache Struts2 REST plug-in. When you use the XStream handler to deserialize XML data without proper input validation, attackers can submit malicious XML data to launch DoS attacks on your application.
When malicious attackers flood your server with superfluous requests, your CPU resources can be exhausted rapidly.
For more information about this vulnerability, see the official security bulletins.
Struts 2.1.1 to Struts 220.127.116.11.
Upgrade to Apache Struts version 2.5.16.
If you do not want to upgrade Apache Struts to resolve this vulnerability, we recommend that you use HTTP ACL policies and custom HTTP flood protection provided by WAF to protect your business.
- You can add access control rules to block POST requests that contain specific XML data, such as
com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource. This can prevent DoS attacks from exploiting this vulnerability. For example, you can add the following rule to block malicious requests sent to pages where the XStream handler is used in the Apache Strust REST plug-in.
- You can also use custom HTTP flood protection to restrict the frequency at which IP addresses send requests to pages where the XStream handler is used in the Apache Strust REST plug-in. For example, you can add the following rule to restrict the frequency at which requests are sent to specific pages to 100 times per 5 seconds.