Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Struts2 S2-054 DoS Vulnerability

🗓️ 02 Dec 2017 00:00:00Reported by Huijun ChenType 
zdt
 zdt🔗 0day.today👁 38 Views

Crafted JSON request causes DoS in Apache Struts2 S2-05

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by a Public disclosed vulnerability from Apache Struts vulnerability (CVE-2017-15707)
16 Jun 201822:05
ibm
IBM Security Bulletins		Security Bulletin: A vulnerability in Struts affects IBM InfoSphere Metadata Workbench
16 Jun 201814:19
ibm
BDU FSTEC		The vulnerability of the JSON-lib library used in REST plugins of the Apache Struts software framework allows attackers to induce a service failure.
16 May 201900:00
bdu_fstec
Broadcom		BSA-2018-588
9 Dec 201700:00
broadcom
CNVD		Apache Struts2 S2-054 Denial of Service Vulnerability
2 Dec 201700:00
cnvd
CVE		CVE-2017-15707
1 Dec 201716:00
cve
Cvelist		CVE-2017-15707
1 Dec 201716:00
cvelist
EUVD		EUVD-2018-0714
7 Oct 202500:30
euvd
F5 Networks		K27638900: Apache Struts vulnerability CVE-2017-15707
21 Feb 202319:00
f5
Github Security Blog		Moderate severity vulnerability that affects org.apache.struts:struts2-rest-plugin
16 Oct 201819:35
github
Rows per page
Summary

A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin
	
Who should read this 	All Struts 2 developers and users which are using the REST plugin
Impact of vulnerability 	A DoS attack is possible when using outdated json-lib with the Struts REST plugin
Maximum security rating 	Medium
Recommendation 	Upgrade to Struts 2.5.14.1
Affected Software 	Struts 2.5 - Struts 2.5.14
Reporter 	Huijun Chen, XiaoLong Zhu - Huawei Technologies
CVE Identifier 	CVE-2017-15707
Problem

The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Solution

Upgrade to Apache Struts version 2.5.14.1. Another solution is to use the Jackson handler instead of the default JSON-lib handler as described here.
Backward compatibility

No backward incompatibility issues are expected.
Workaround

Use Jackson handler instead of the default JSON-lib handler as described here.

Source
https://cwiki.apache.org/confluence/display/WW/s2-054

#  0day.today [2018-04-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2017 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.01534
apache struts2dos attackjson request .
38