You are here

Apache Struts2: Denial of Service (S2-054)

Affects product: 
Airlock WAF
IDs: 
CVE-2017-15707
Keywords: 
Struts2, JSON
Description: 

Struts2 before 2.5.14.1 is affected by the vulnerabilities S2-054 (CVE-2017-15707) [1]. A DoS attack using a malicious request with specially crafted JSON payload is possible when using the outdated json-lib with the Struts REST plugin.

Airlock Suite software is not affected because Apache Struts2 is not used.

Resolution: 

Airlock WAF protects vulnerable back-ends if the Airlock WAF JSON parser (<Mapping> - "Advanced" - "Content Parsing" - "Parse JSON objects") is activated for the mapping connected to the vulnerable Struts2 back-end.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock