You are here

Apache Struts2: Denial of Service (S2-047 and S2-049)

S2-047, S2-049, CVE-2017-9787, CVE-2017-7672
apache struts2

Two Apache Struts2 vulnerabilities have been released. An attacker may cause a denial of service attack.

S2-047: Affects Struts2 versions 2.5 up to when using the built-in URLValidator on user-supplied data. The severity rating given by Apache Struts2 is low.

S2-049: Affects Struts2 versions 2.3.7 up to 2.3.32 and 2.5 up to when using Spring secured actions. The severity rating given by Apache Struts2 is medium.

For further details see [1,2].


    If you are using an affected Apache Struts2 version on a back-end system where you can not rule-out the presence of the vulnerability we recommend to update Struts2 to version 2.5.12 or higher (or 2.3.33 for S2-049).

    If you can not upgrade Struts2 we recommend to configure the following virtual patches on Airlock WAF.

    Virtual patch for S2-047

    Create a new Allow Rule on all mappings connected to vulnerable Struts2 back-ends.

    Path pattern template (default) No Restriction
    HTTP method OFF - (default) No Restriction
    Content type OFF - (default) No Restriction
    IP address OFF - (default) No Restriction
    1. Parameter name pattern .*
    1. Parameter value pattern template (default) No Restriction
    2. Parameter name pattern List all parameter names of your application where full qualified URLs are expected.
    2. Parameter value pattern ^(?:(?!.*/\*.*\*/)[a-zA-Z][a-zA-Z0-9\-]{1,39}:\/\/[^<>"'`|;()\h\v\p{C}]*)?$
    Virtual patch for S2-049

    Create the following custom Deny Rule and enable the rule on all mappings connected to vulnerable Struts2 back-ends.

    Type Parameter-Value
    Pattern accessDecisionManager
    Case-sensitive off
    Invert off
    Airlock Vulnerability Status: 
    Does not affect Airlock
    Back-end Vulnerability Status: 
    Back-ends may be vulnerable, see resolution