Apache Struts2 Remote Command Execution (S2-052)
Description
Apache Struts 2 versions prior to 2.5.13 and 2.3.34 contain a critical remote code execution vulnerability in the REST plugin when configured to use the XStream handler for processing XML payloads. Attackers can exploit insecure XML deserialization to execute arbitrary commands on the server without authentication.
Remediation
Immediately upgrade Apache Struts 2 to version 2.5.13 or later (for 2.5.x branch) or version 2.3.34 or later (for 2.3.x branch). If immediate patching is not possible, implement the following temporary mitigations:
1. Disable the XStream handler in the Struts REST plugin by removing or commenting out the XStream-related configuration in your struts.xml file
2. Restrict access to REST endpoints using network-level controls (firewall rules, WAF) until patching is complete
3. Monitor application logs for suspicious XML payloads or unexpected deserialization activity
After upgrading, verify the patch by testing that XML deserialization no longer processes untrusted object types. Review the Apache Struts Security Bulletin S2-052 for additional configuration guidance specific to your deployment.