Another month, another Struts2 remote code execution (RCE) vulnerability (CVE-2017-9805). However, this time the attack vector does not involve any arbitrary OGNL expression evaluations but an unsafe deserialization.
The vulnerability is located in the REST plugin code so only users of this plugin would be affected. This is not the first time the a Remote Code Execution vulnerability is reported on the Struts2 REST plugin. We reported S2-033 and few months later S2-037 was also reported, however this time the vulnerability was echoed by the major InfoSec media sites.
According to the researchers that reported the issue the vulnerability is in the XStreamHandler class which performs an unprotected deserialization of data coming from the request body
It was not clear in the original write-up where the controllable data was coming from so, since Fortify SCA supports XStream, I decided to take a look and see what SCA was reporting. Configuring the project was quick and easy. I made sure we had all dependencies by fetching them with "mvn dependency:copy-dependencies" and then kick started the scan. The scan completed in less than a minute and there it was:
No custom rules were needed since the source of taint is coming from the standard servlet request class.
The dataflow taint trace was short and began at ContentTypeInterceptor, which is an interceptor registered by default in the Struts2 interceptor stack (when running the REST plugin). The contents of the request body are read and sent to the appropriate handler which is chosen depending on the content-type of the request.
The dataflow is followed by the SCA taint analyzer which returns the diagram leading to the vulnerability:
Ultimately, this RCE vulnerability in the REST plugin for Struts2 again reminds us all that dependencies need to be scanned and reviewed on a regular basis. The affected versions are Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12. Make sure to upgrade to Apache Struts version 2.5.13 or 2.3.34.