Two security experts (Yevgeniy Grushka and Alvaro Munoz) from Hewlett Packard Enterprise (HPE) found a denial of service (DoS) vulnerability in the Apache Struts2 REST plug-in. If you use the XStream library in the Struts REST plug-in, an attacker can construct a malicious XML request to launch a DoS attack.

CVE ID

CVE-2018-1327

Vulnerability name

DoS vulnerability in the Apache Struts2 REST plug-in (S2-056)

Vulnerability description

The S2-056 vulnerability exists in the Apache Struts2 REST plug-in. If you use the XStream library to deserialize a packet in the XML format and the data content is not validated, attackers can launch remote DoS attacks by sending malicious XML data.

If attackers initiate large amounts of attack requests, the CPU resources of the server where your applications reside will be used up rapidly.

For more information about the vulnerability, visit Official vulnerability disclosure.

Affected versions

Struts 2.1.1 to 2.5.14.1

Solution

Upgrade your Apache Struts to 2.5.16.

Protection recommendations

If you do not want to upgrade Apache Struts to fix the vulnerability, we recommend that you use the custom protection policy and HTTP flood protection features provided by WAF to protect your business.

  • You can use the custom protection policy feature to create a rule. The rule blocks the POST requests that contain specific XML data (com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource). This prevents the DoS attack requests launched by using this vulnerability. For example, configure the following rule to block attack requests to applications that use Apache Struts whose REST plug-in uses the XStream library.
  • You can use the HTTP flood protection feature to limit the frequency of requests from an IP address, for example, requests to applications that use Apache Struts whose REST plug-in uses the XStream library. For example, configure the following rule to make sure that the request frequency to a specified page does not exceed 100 times every 5 seconds.

For more information about the custom protection policy and HTTP flood protection features, see Create a custom protection policy.