Summary
DoS via OOM owing to no sanity limit on normal form fields in multipart forms.Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Denial of Service |
Maximum security rating | Important |
Recommendation | Upgrade to Struts 2.5.31 or 6.1.2.1 or greater |
Affected Software | Struts 2.0.0 - Struts 6.1.2 |
Reporters | Matthew McClain |
CVE Identifier | CVE-2023-34396 |
Problem
When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory.
Solution
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Backward compatibility
No issues expected when upgrading to Struts 2.5.31 or 6.1.2.1
Workaround
Set struts.multipart.maxSize to a value much much smaller than the available memory.