You are here
Apache Struts2: Denial of Service (S2-047 and S2-049)
Last update on 25. September 2017 - 17:09.
Two Apache Struts2 vulnerabilities have been released. An attacker may cause a denial of service attack.
S2-047: Affects Struts2 versions 2.5 up to 2.5.10.1 when using the built-in URLValidator on user-supplied data. The severity rating given by Apache Struts2 is low.
S2-049: Affects Struts2 versions 2.3.7 up to 2.3.32 and 2.5 up to 2.5.10.1 when using Spring secured actions. The severity rating given by Apache Struts2 is medium.
For further details see [1,2].
If you are using an affected Apache Struts2 version on a back-end system where you can not rule-out the presence of the vulnerability we recommend to update Struts2 to version 2.5.12 or higher (or 2.3.33 for S2-049).
If you can not upgrade Struts2 we recommend to configure the following virtual patches on Airlock WAF.
Virtual patch for S2-047
Create a new Allow Rule on all mappings connected to vulnerable Struts2 back-ends.
| Path pattern template | (default) No Restriction |
| HTTP method | OFF - (default) No Restriction |
| Content type | OFF - (default) No Restriction |
| IP address | OFF - (default) No Restriction |
| 1. Parameter name pattern | .* |
| 1. Parameter value pattern template | (default) No Restriction |
| 2. Parameter name pattern | List all parameter names of your application where full qualified URLs are expected. Example: ^(?:myUrl|myLocation|myRedirectUrl)$ |
| 2. Parameter value pattern | ^(?:(?!.*/\*.*\*/)[a-zA-Z][a-zA-Z0-9\-]{1,39}:\/\/[^<>"'`|;()\h\v\p{C}]*)?$ |
Virtual patch for S2-049
Create the following custom Deny Rule and enable the rule on all mappings connected to vulnerable Struts2 back-ends.
| Type | Parameter-Value |
| Pattern | accessDecisionManager |
| Case-sensitive | off |
| Invert | off |