Status update on screening of Dahua Products against Apache Struts 2 S2-052 vulnerability

Date:2017-09-06 Browse:1210
First Published: September 6, 2017

Summary:
The latest security bulletin S2-052 released by Apache Struts 2 on September 5, 2017 identified a new vulnerability (CVE ID: CVE-2017-9805) affecting Struts 2.5~ Struts 2.5.13 version. A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests. Because the REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads. For more details on Apache Struts 2 vulnerability, please check Apache Struts 2 official web site:https://struts.apache.org/docs/security-bulletins.html

CVE ID: CVE-2017-9805

Affected Products:
Dahua Cybersecurity Center (DHCC) has screened all Dahua products using Apache Strut2 framework. None of them are affected by this vulnerability. 

Support Resources
Please send E-mail to cybersecurity@dahuatech.com if you have any question about this vulnerability. We appreciate your efforts in helping us improve the security level of Dahua’s products/solutions.