You are here

Apache Struts2 Vulnerabilities S2-048

S2-048, CVE-2017-9791

A critical Apache Struts2 vulnerability has been found which may allow remote code execution when using Struts 2.3.x with Struts 1 plugin and Struts 1 actions. For details see [1].

Airlock WAF is not affected because Apache Struts2 is not used.


If you are using the Struts 1 plugin in Struts 2 on a back-end system we strongly recommend to apply the solutions described in [1] or to upgrade to the newest Apache Struts 2.5.x version.

Alternatively, the vulnerability can be mitigated with a virtual patch on Airlock WAF. To do this, configure a custom Deny Rule with the following parameter value pattern. Enable the Deny Rule on all mappings connected to an affected back-end.


Case-sensitive = OFF
Invert = OFF

Note that this is the same virtual patch as described in the vulnerability report [2].

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution