CVE-2017-9805

What Is the Apache Struts REST Plugin?

The Apache Struts REST Plugin (struts2-rest-plugin) enables Struts 2 applications to serve RESTful APIs by mapping HTTP methods (GET, POST, PUT, DELETE) to action methods and handling content negotiation. To support XML request bodies, the plugin uses XStream — a popular Java XML serialization library — to convert XML payloads into Java objects. CVE-2017-9805 exploits this XML deserialization path: when XStream is used without type filtering, a crafted XML payload can instantiate arbitrary Java classes through XStream's gadget chain mechanism, leading to remote code execution.

Overview

CVE-2017-9805 (Apache S2-052) is a deserialization vulnerability (CWE-502) in the Struts 2 REST Plugin. When the plugin handles an XML request body, it uses an XStreamHandler instance without any type filtering — allowing an attacker to submit a malicious XStream gadget chain as XML that executes arbitrary code on the server. The vulnerability requires no authentication and no user interaction; exploitation requires the REST plugin to be present in the application (AC:H). A public PoC was released two days after the September 5, 2017 advisory, and mass scanning began within 24 hours. Fixed in Struts 2.3.34 and 2.5.13. CISA added CVE-2017-9805 to the KEV catalog in November 2021.

Affected Versions

The REST plugin (struts2-rest-plugin) must be present in the application. Applications not using the REST plugin are not affected.

Technical Details

Root Cause: XStream Deserialization Without Type Filtering

CVE-2017-9805 is a deserialization of untrusted data vulnerability (CWE-502) in XStreamHandler within the Struts 2 REST plugin. When a client sends a request with Content-Type: application/xml, the plugin routes the request body through XStream.fromXML() without any type whitelist or blacklist filtering. XStream supports arbitrary class instantiation through XML — an attacker can craft XML that instantiates Java classes available on the classpath (gadgets) and chains their constructors and methods to execute OS commands.

Gadget chain exploitation: Standard XStream gadget chains (using classes from the JDK, Spring, or other common libraries on the classpath) allow executing arbitrary commands. No application-specific classes or knowledge of the application is required — only standard Java classes are needed.

Content-Type requirement: The exploit requires sending Content-Type: application/xml — this is the "High Complexity" factor in the CVSS score. In practice, this is trivial; any HTTP client can set an arbitrary Content-Type.

Attack Characteristics

Discovery

Discovered by Man Yue Mo of the Semmle Security Research Team, who reported the vulnerability to the Apache Struts security team. Published as S2-052 on September 5, 2017.

Exploitation Context

• Post-Equifax crisis context: CVE-2017-9805 was disclosed on September 5, 2017 — three days before Equifax publicly disclosed the CVE-2017-5638 breach (September 7, 2017); the simultaneous disclosure of another critical Struts vulnerability created enormous pressure on organizations still scrambling to patch Struts after the Equifax news
• Rapid weaponization: Public PoC exploits appeared September 7, 2017; mass scanning and exploitation campaigns targeting the REST plugin endpoint began September 8; within a week multiple threat actors were using CVE-2017-9805 for cryptominer and RAT deployment
• Equifax spotlight on Struts: The Equifax breach put Apache Struts at the top of the patching priority list for thousands of organizations — CVE-2017-9805 exploited this moment as security teams were focused on Struts but had not yet inventoried all Struts deployments
• CISA KEV (2021): Added November 3, 2021 as part of the initial KEV catalog launch, reflecting persistent exploitation of unpatched Struts deployments

Remediation

1. Upgrade to Struts 2.3.34 or 2.5.13+ — the patch replaces the unfiltered XStreamHandler with a type-filtered implementation; upgrade immediately if the REST plugin is in use.

2. Remove the REST plugin if not needed — if struts2-rest-plugin is not required by the application, remove it from the classpath to eliminate the attack surface entirely.

3. Restrict XML Content-Type at the WAF — deploy a web application firewall rule to block or alert on requests with Content-Type: application/xml sent to Struts REST endpoints while patching is in progress.

4. Inventory all Struts deployments — in the wake of CVE-2017-5638 and 9805, maintain an inventory of all Java web applications using Apache Struts and which plugins are enabled; the REST plugin may be present in applications that don't intentionally use REST.

5. Keep Struts current — Apache Struts has had multiple critical deserialization and OGNL injection vulnerabilities; apply Struts security updates promptly as a standing operational requirement.