A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin
| | |
| :------------ | :------------ |
| Who should read this | All Struts 2 developers and users which are using the REST plugin |
| Impact of vulnerability | A DoS attack is possible when using XStream handler with the Struts REST plugin. |
| Maximum security rating | Medium |
| Recommendation | Upgrade to Struts 2.5.16 |
| Affected Software | Struts 2.1.1 - Struts 220.127.116.11 |
| Reporter | Yevgeniy Grushka & Alvaro Munoz from HPE |
| CVE Identifier | CVE-2018-1327 |
The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload.
Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.
### Backward compatibility
No backward incompatibility issues are expected.
Use Jackson XML handler instead of the default XStream handler as described [here](http://struts.apache.org/plugins/rest/#custom-contenttypehandlers).