...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | A Possible DoS attack is available for Spring secured actionswhen using URLValidator |
Maximum security rating | Low |
Recommendation | Upgrade to Struts 2.5.13 or Struts 2.3.34 |
Affected Software | Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 |
Reporter | Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at gmail dot com> |
CVE Identifier | CVE-2017-9804 |
...
No backward incompatibility issues are expected.
Workaround
Please define the below constant in a struts.xml
fileInstead of using the default RegEx provided by the UrlValidator
you can use the below one:
Code Block |
---|
"^(?:https?|ftp):\\/\\/" + "(?:(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+" + "(?::(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+)?" + "@)?#?" + "(?:(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" + "[a-z][a-z0-9-]*[a-z0-9]" + "|(?:(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])\\.){3}" + "(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])" + ")(?::\\d+)?" + ")(?:(?:\\/(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)*" + "(?:\\?(?:[a-z0-9$_.+!*'(),;:@&=\\-\\/:]|%[0-9a-f]{2})*)?)?" + "(?:#(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)?" + "$" |
...