Summary
Jackson issueWho should read this | All Struts 2 developers and users which are using the REST plugin |
---|---|
Impact of vulnerability | Not clear .... |
Maximum security rating | Medium |
Recommendation | Upgrade to Struts 2.5.14.1 or Struts 2.4 (TBD) |
Affected Software | Struts 2.1.1 - 2.3.34, Struts 2.5 - Struts 2.5.14 |
Reporter | Huijun Chen <chenhuijun at huawei dot com> - Cyber Security Solution Dept, Huawei Technologies Co., Ltd HPE (TBD) |
CVE Identifier |
|
Problem
The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Solution
Upgrade to Apache Struts version 2.5.14.1 or 2.4. Another solution is to use the Jackson handler instead of the default JSON-lib handler as described here.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Use Jackson handler instead of the default JSON-lib handler as described here.