### Summary A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin | | | | :------------ | :------------ | | Who should read this | All Struts 2 developers and users which are using the REST plugin | | Impact of vulnerability | A DoS attack is possible when using XStream handler with the Struts REST plugin. | | Maximum security rating | Medium | | Recommendation | Upgrade to Struts 2.5.16 | | Affected Software | Struts 2.1.1 - Struts 2.5.14.1 | | Reporter | Yevgeniy Grushka & Alvaro Munoz from HPE | | CVE Identifier | CVE-2018-1327 | ### Problem The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. ### Solution Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. ###...
### Summary A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin | | | | :------------ | :------------ | | Who should read this | All Struts 2 developers and users which are using the REST plugin | | Impact of vulnerability | A DoS attack is possible when using XStream handler with the Struts REST plugin. | | Maximum security rating | Medium | | Recommendation | Upgrade to Struts 2.5.16 | | Affected Software | Struts 2.1.1 - Struts 2.5.14.1 | | Reporter | Yevgeniy Grushka & Alvaro Munoz from HPE | | CVE Identifier | CVE-2018-1327 | ### Problem The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. ### Solution Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. ### Backward compatibility No backward incompatibility issues are expected. ### Workaround Use Jackson XML handler instead of the default XStream handler as described [here](http://struts.apache.org/plugins/rest/#custom-contenttypehandlers).
