Apache Struts2: Denial of Service (S2-054)

Submitted on 8. December 2017 - 9:45 by rischi.
Last update on 8. December 2017 - 9:51.

IDs:

CVE-2017-15707

Keywords:

Struts2, JSON

Description:

Struts2 before 2.5.14.1 is affected by the vulnerabilities S2-054 (CVE-2017-15707) [1]. A DoS attack using a malicious request with specially crafted JSON payload is possible when using the outdated json-lib with the Struts REST plugin.

Airlock Suite software is not affected because Apache Struts2 is not used.

Resolution:

Airlock WAF protects vulnerable back-ends if the Airlock WAF JSON parser (<Mapping> - "Advanced" - "Content Parsing" - "Parse JSON objects") is activated for the mapping connected to the vulnerable Struts2 back-end.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

Does not affect back-end behind Airlock

Reference:

[1] S2-054

Main menu

Navigation

User menu

You are here

Apache Struts2: Denial of Service (S2-054)

Main menu

Search form

Navigation

User menu

You are here

Apache Struts2: Denial of Service (S2-054)