Is Spectrum vulnerable to CVE-2017-9805 vulnerability?

Document ID : KB000015898
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CVE-2017-9805 vulnerability describes a possible Remote Code Execution (RCE) attack when using the Struts REST plugin with XStream handler to handle XML payloads. This is affecting applications which are built using Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 MVC Framework that use the REST plugin. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

Question:

Is Spectrum affected by this CVE-2017-9805 vulnerability?

Environment:
All Spectrum versions
Answer:

No, Spectrum is not affected by this vulnerability. Spectrum does use Struts 2 MVC Framework but it doesn't user the REST plugin. The REST plugin jar is not shipped as part of Spectrum deployment.

Additional Information:

https://struts.apache.org/docs/s2-052.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805