Resources Blog A Struts2 Vulnerability Hurricane: Deserialization

A Struts2 Vulnerability Hurricane: Deserialization


On Friday, September 8th, the massive breach of 143 million consumer records at Equifax was directly tied to Struts2.  

A Massive Storm

As the massive hurricane Irma slams into Caribbean nations and hurtles itself toward Florida, another massive hurricane roared across the software world yesterday.  Apache announced a major Struts2 deserialization vulnerability.  


With the brute force of a Category 5 hurricane, the last major Struts2 vulnernability in March 2017 had impacted 2,700 organizations.  That global Struts2 storm knocked out organizations like the Canadian Revenue Agency, Statistics Canada, GMO Payment Gateway, Japan Post, and Okinawa Electric Power.  This new vulnerability could have a much broader impact due to its ease of exploit.

Understanding Deserialization and Struts REST

According to a report in Naked Security:

"Struts REST supports XML using a programming library called XStream, which turns out to be way more powerful than is strictly necessary for exchanging data between browsers and servers. Indeed, XStream allows you to encode any sort of Java object into XML (this is a technique with the fancy-sounding jargon name of serialisation, because it converts arbitrarily complex collections of structured binary data into a serial string of text characters), not just numbers and text."

"Unfortunately, until Struts 2.5.13, which came out yesterday (Tuesday 05 September 2017), booby-trapped XML could be fed to a Struts server so that attackers could embed commands into what was supposed to be plain data.  This sort of bug is known as RCE, or Remote Code Execution, and it generally means that crooks can take control of your server automatically from afar."

Impact for Sonatype Clients: Three Things to Know

When a zero-day vulnerability is announced, there are three things you need to know -- and the sooner the better: (1) did you ever use the vulnerable versions of the component, (2) if yes, where was it used, and (3) what, if any, remediation options are available.

Yesterday, Sonatype Nexus clients using the Struts2 components in their development pipelines or who have applications using it in production were automatically alerted to the new vulnerability.  They immediately knew if they were using the vulnerable components, where they were, and what new version would provide a safe remediation path.  Mean time to identify the issue was zero and the mean time to remediation for our client's was tremendously accelerated.

Free Service for Non-Sonatype Clients

For those readers here who are not Sonatype clients, we offer a free service to create an open source software bill of materials to identify problematic components in your software applications, including the latest Struts2 vulnerability.  The analysis of an application can be completed in seconds, after downloading the free analysis tool.

Forecasting Vulnerabilities

New zero-day vulnerabilities are like hurricanes.  You dont know exactly when or where they will happen, but you know that they will happen.  And when they do, your organization needs to be prepared with the best intelligence to map out the impact of the threat, identify where the hardest hit areas are, and begin to send teams into action immediately to repair the impacted applications.

It's hurricane season every day.  How has your team prepared?


Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.