Security experts Yevgeniy Grushka and Alvaro Munoz from HPE discovered a DoS vulnerability in the Apache Strust2 REST plug-in. The Strust REST plug-in uses the XStream library, which is vulnerable to DoS attacks launched through malicious XML requests.

CVE number

CVE-2018-1327

Vulnerability name

Apache Struts2 REST plug-in DoS vulnerability (S2-056)

Description

The S2-056 vulnerability exists in the Apache Struts2 REST plug-in. When you use the XStream handler to deserialize XML data without proper input validation, attackers can submit malicious XML data to launch DoS attacks on your application.

When malicious attackers flood your server with superfluous requests, your CPU resources can be exhausted rapidly.

For more information about this vulnerability, see the official security bulletins.

Affected versions

Struts 2.1.1 to Struts 2.5.14.1.

Fix

Upgrade to Apache Struts version 2.5.16.

Protection tips

If you do not want to upgrade Apache Struts to resolve this vulnerability, we recommend that you use HTTP ACL policies and custom HTTP flood protection provided by WAF to protect your business.

  • You can add access control rules to block POST requests that contain specific XML data, such as com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource. This can prevent DoS attacks from exploiting this vulnerability. For example, you can add the following rule to block malicious requests sent to pages where the XStream handler is used in the Apache Strust REST plug-in.

  • You can also use custom HTTP flood protection to restrict the frequency at which IP addresses send requests to pages where the XStream handler is used in the Apache Strust REST plug-in. For example, you can add the following rule to restrict the frequency at which requests are sent to specific pages to 100 times per 5 seconds.

For more information about access control rules and custom HTTP flood protection, see HTTP ACL Policy and Custom HTTP flood protection.