Rule Definition
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

Remediation
Use Jackson handler instead of the default JSON-lib handler. Upgrade to Struts 2.5.14.1

Violation Code Sample

<struts>

  <package name="example"  extends="json-default">
     <action name="JSONExample" class="example.JSONExample">
        <result type="json"/>
     </action>
  </package>

</struts>

---------------------------------------
<struts>
  <package name="employee" extends="struts-default, json-default" namespace="/employee">

    <action name="list" method="list" 
                     class="org.apache.struts2.showcase.action.EmployeeAction" >
        <result>/empmanager/listEmployees.jsp</result>
        <result type="json">
            <param name="root">employees</param>
        </result>
    </action>

  </package>
</struts>

Fixed Code Sample

Upgrade to Struts 2.5.14.1

---
Overwrite the Content Handler with the Jackson Content Handler in the struts.xml:

<bean type="org.apache.struts2.rest.handler.ContentTypeHandler" name="jackson" class="org.apache.struts2.rest.handler.JacksonLibHandler"/>
<constant name="struts.rest.handlerOverride.json" value="jackson"/>
 
<!-- Set to false if the json content can be returned for any kind of http method -->
<constant name="struts.rest.content.restrictToGET" value="false"/>
 
<!-- Set encoding to UTF-8, default is ISO-8859-1 -->
<constant name="struts.i18n.encoding" value="UTF-8"/>

https://nvd.nist.gov/vuln/detail/CVE-2017-15707 https://cwiki.apache.org/confluence/display/WW/S2-054 https://cwiki.apache.org/confluence/display/WW/REST+Plugin#RESTPlugin-UseJacksonframeworkasJSONContentTypeHandler