You are here

Apache Struts2: Denial of Service (S2-047 and S2-049)

S2-047, S2-049, CVE-2017-9787, CVE-2017-7672
apache struts2

Two Apache Struts2 vulnerabilities have been released. An attacker may cause a denial of service attack.

S2-047: Affects Struts2 versions 2.5 up to when using the built-in URLValidator on user-supplied data. The severity rating given by Apache Struts2 is low.

S2-049: Affects Struts2 versions 2.3.7 up to 2.3.32 and 2.5 up to when using Spring secured actions. The severity rating given by Apache Struts2 is medium.

For further details see [1,2].


If you are using an affected Apache Struts2 version on a back-end system where you can not rule-out the presence of the vulnerability we recommend to update Struts2 to version 2.5.12 or higher (or 2.3.33 for S2-049).

If you can not upgrade Struts2 we recommend to configure the following virtual patches on Airlock WAF.

Virtual patch for S2-047

Create a new Allow Rule on all mappings connected to vulnerable Struts2 back-ends.

Path pattern template (default) No Restriction
HTTP method OFF - (default) No Restriction
Content type OFF - (default) No Restriction
IP address OFF - (default) No Restriction
1. Parameter name pattern .*
1. Parameter value pattern template (default) No Restriction
2. Parameter name pattern List all parameter names of your application where full qualified URLs are expected.
2. Parameter value pattern ^(?:(?!.*/\*.*\*/)[a-zA-Z][a-zA-Z0-9\-]{1,39}:\/\/[^<>"'`|;()\h\v\p{C}]*)?$
Virtual patch for S2-049

Create the following custom Deny Rule and enable the rule on all mappings connected to vulnerable Struts2 back-ends.

Type Parameter-Value
Pattern accessDecisionManager
Case-sensitive off
Invert off
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution