You are here

Struts2: incorrect default exclude patterns

CVE-2015-1831, CB-K15/0640, S2-024

An Apache struts2 vulnerability has been introduced in version 2.3.20. An attacker can compromise the internal applications state [1]. The vulnerability is fixed in version which defines a better set of exclude parameters.

Airlock WAF is not affected because Apache Struts2 is not installed/used.


If you are using Apache Struts2 2.3.20 on a back-end application we strongly recommend to update to version or higher.

If you are not able to update Struts2, the vulnerability can be mitigated with a virtual patch on Airlock WAF. To do this you can define and activate the following parameter name deny rule for all affected mappings.



Case-sensitive = OFF
Invert = OFF

In contrast to the fix in Struts2 where parameters with a corresponding name are no longer set on the internal parameter stack, this will block any request with a parameter of the corresponding from. If you enable this pattern please test your application for false positive blocks.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration