You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Summary

DoS via OOM owing to no sanity limit on normal form fields in multipart forms.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Denial of Service

Maximum security rating

Important

Recommendation

Upgrade to Struts 2.5.30.1 or 6.1.2.1 or greater

Affected Software

Struts 2.0.0 - Struts 6.1.2

Reporters

Matthew McClain

CVE Identifier

CVE-2023-34396

Problem

When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory.

Solution

Upgrade to Struts 2.5.30.1 or 6.1.2.1 or greater.

Backward compatibility

No issues expected when upgrading to Struts 2.5.30.1 or 6.1.2.1

Workaround

Set struts.multipart.maxSize to a value much much smaller than the available memory.

  • No labels