This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-034
Skip to end of metadata
Go to start of metadata


OGNL cache poisoning can lead to DoS vulnerability

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack

Maximum security rating



This issue was resolved by publising new OGNL version, any Struts version which at least is using OGNL 3.0.12 is safe.

Affected Software

Struts 2.0.0 - Struts


Tao Wang wangtao12 at baidu dot com - Baidu Security Response Center

CVE Identifier



The OGNL expression language used by the Apache Struts framework has inproper implementaion of cache used to store method references. It's possible to prepare a DoS attack which can block access to a web site.


You can should upgrade OGNL at least to version 3.0.12 or by upgrading to latest Struts version.

Backward compatibility

No issues expected when upgrading to OGNL or Struts.


Not possible except upgrading OGNL as mentioned above.


  • No labels