CVE-2017-9805
Published: 15 September 2017
Summary
CVE-2017-9805 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Hosted Collaboration Solution. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2017-9805 is a deserialization flaw (CWE-502) in the REST Plugin of Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13. It arises because the plugin uses an XStreamHandler instance of XStream to process XML payloads without any type filtering during deserialization.
An attacker with network access can supply a crafted XML payload to trigger remote code execution on the server. The attack requires no privileges or user interaction and carries a CVSS 3.1 score of 8.1, reflecting high impact on confidentiality, integrity, and availability despite the noted complexity.
Referenced advisories from Oracle, Red Hat, Apache, SecurityFocus, and SecurityTracker address the issue and point to the availability of patched versions 2.3.34 and 2.5.13.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-0602
Vulnerability details
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of untrusted XML input prior to XStream deserialization, directly blocking the crafted payloads that trigger RCE.
Requires prompt application of the available Struts patches (2.3.34 / 2.5.13) that add type filtering to the XStreamHandler.
Disables or restricts the vulnerable REST plugin and XStream usage unless explicitly required, reducing the attack surface for deserialization.