Summary
A crafted JSON request can be used to perform a DoS attack when using the Struts REST pluginWho should read this | All Struts 2 developers and users which are using the REST plugin |
---|---|
Impact of vulnerability | A DoS attack is possible when using outdated json-lib with the Struts REST plugin |
Maximum security rating | Medium |
Recommendation | Upgrade to Struts 2.5.14.1 or Struts 2.4 (TBD) |
Affected Software | Struts 2.1.1 - 2.3.34, Struts 2.5 - Struts 2.5.14 |
Reporter | Huijun Chen <chenhuijun at huawei dot com> - Cyber Security Solution Dept, Huawei Technologies Co., Ltd HPE (TBD) |
CVE Identifier | CVE-2017-15707 |
Problem
The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Solution
Upgrade to Apache Struts version 2.5.14.1 or 2.4. Another solution is to use the Jackson handler instead of the default JSON-lib handler as described here.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Use Jackson handler instead of the default JSON-lib handler as described here.