
Critical Apache Struts security flaw makes it 'easy' to hack Fortune 100 firms - fencepost
http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/
======
fencepost
TL;DR a problem in deserializing untrusted data submitted via the REST plugin
can result in remote code execution. CVE-2017-9805. All versions of Struts
since 2008, fixed in today's release of 2.5.13 [1]. If you're using Java and
receiving XML data, look _really hard_ at this.

"A RCE attack is possible when using the Struts REST plugin with XStream
handler to deserialise XML requests"
[https://struts.apache.org/docs/s2-052.html](https://struts.apache.org/docs/s2-052.html)

[1]
[https://struts.apache.org/announce.html#a20170905](https://struts.apache.org/announce.html#a20170905)
for today's release announcement of 2.5.13 that fixes this plus two denial-of-
service vulnerabilities.

