Two security experts (Yevgeniy Grushka and Alvaro Munoz) from Hewlett Packard Enterprise (HPE) found a denial of service (DoS) vulnerability in the Apache Struts2 REST plug-in. If you use the XStream library in the Struts REST plug-in, an attacker can construct a malicious XML request to launch a DoS attack.
CVE ID
CVE-2018-1327
Vulnerability name
DoS vulnerability in the Apache Struts2 REST plug-in (S2-056)
Vulnerability description
The S2-056 vulnerability exists in the Apache Struts2 REST plug-in. If you use the XStream library to deserialize a packet in the XML format and the data content is not validated, attackers can launch remote DoS attacks by sending malicious XML data.
If attackers initiate large amounts of attack requests, the CPU resources of the server where your applications reside will be used up rapidly.
For more information about the vulnerability, visit Official vulnerability disclosure.
Affected versions
Struts 2.1.1 to 2.5.14.1
Solution
Upgrade your Apache Struts to 2.5.16.
Protection recommendations
If you do not want to upgrade Apache Struts to fix the vulnerability, we recommend that you use the custom protection policy and HTTP flood protection features provided by WAF to protect your business.
- You can use the custom protection policy feature to create a rule. The rule blocks
the POST requests that contain specific XML data (
com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource
). This prevents the DoS attack requests launched by using this vulnerability. For example, configure the following rule to block attack requests to applications that use Apache Struts whose REST plug-in uses the XStream library. - You can use the HTTP flood protection feature to limit the frequency of requests from
an IP address, for example, requests to applications that use Apache Struts whose
REST plug-in uses the XStream library. For example, configure the following rule to
make sure that the request frequency to a specified page does not exceed 100 times
every 5 seconds.
For more information about the custom protection policy and HTTP flood protection features, see Create a custom protection policy.