Versions Compared

Old Version 5

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin


Who should read this

All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability

A DoS attack is possible when using outdated json-lib with the Struts REST plugin

Maximum security rating

Medium

Moderate

Recommendation

Upgrade to Struts 2.5.14.1

or Struts 2.4 (TBD)

Affected Software

Struts 2.1.1 - 2.3.34,

Struts 2.5 - Struts 2.5.14

Reporter

Huijun Chen

<chenhuijun at huawei dot com> - Cyber Security Solution Dept, Huawei Technologies Co., Ltd

HPE (TBD)

, XiaoLong Zhu - Huawei Technologies

CVE Identifier

CVE-2017-15707

CVE Identifier

 

Problem

The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

...

Upgrade to Apache Struts version 2.5.14.1 or 2.4. Another solution is to use the Jackson handler instead of the default JSON-lib handler as described here.

Backward compatibility

No backward incompatibility issues are expected.

...

Use Jackson handler instead of the default JSON-lib handler as described here.