...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Denial-of-Service attacks |
Maximum security rating | Important |
Recommendation | Developers should upgrade to Struts 2.3.4.1 |
Affected Software | Struts 2.0.0 - Struts 2.3.4 |
Original JIRA Tickets | |
Reporter | Johno Crawford |
CVE Identifier | CVE-2012-4387 |
Problem
Request parameters handled by Struts 2 are effectively treated as OGNL expressions. A possible DOS attacker might craft requests to a Struts 2 based application with extremely long parameter names. OGNL evaluation of the parameter name then will consume significant CPU cycles, thus promoting the effectiveness of the DOS attack.
...