You are here

Apache Struts2 Vulnerabilities S2-050 and S2-051

S2-050, S2-051, CVE-2017-9793, CVE-2017-9804, CVE-2017-12611
struts2, xml, ognl

Struts2 before 2.5.13 and 2.3.34 is affected by the vulnerabilities S2-050, S2-051 and S2-053. The critical vulnerability S2-052 is described in article [5].

S2-050: A regular expression Denial of Service is possible when using URLValidator.
S2-051: A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin.
S2-053: A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals. Exploits are available.

Airlock Suite software is not affected because Apache Struts2 is not used.


If you are using an affected Apache Struts2 version on a back-end system we recommend to update to the newest Struts2 version. If this is not possible you can proceed as following:

The following virtual patches, if not already applied, can be configured on Airlock WAF to mitigate the vulnerability

For S2-050: Same patch as for S2-047 described Techzone article [4].
For S2-051: Same patch as for S2-052 described Techzone article [5].
For S2-053: Same patch as for S2-048 described Techzone article [6].

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution