Summary
| Excerpt |
|---|
OGNL cache poisoning can lead to DoS vulnerabilityAction name clean up is error prone |
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Possible DoS attackway to craft vulnerable payload |
Maximum security rating | ImportantLow |
Recommendation | This issue was resolved by publising new OGNL version, any Struts version which at least is using OGNL 3.0.12 is safeUpgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1. |
Affected Software | Struts 2.0.0 - Struts 2.3.2428.1 |
Reporters | Alvaro Munoz alvaro dot munoz at hpe dot com Sam Ng samn at hpe dot comTao Wang wangtao12 at baidu dot com - Baidu Security Response Center |
CVE Identifier | CVE-2016-30934436 |
Problem
The OGNL expression language used by the Apache Struts framework has inproper implementaion of cache used to store method references. It's possible to prepare a DoS attack which can block access to a web sitemethod used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack.
Solution
You can should upgrade OGNL at least to latest Struts version 3.0.12 or by upgrading to latest Struts versionor implement your own version of ActionMapper based on source code of receomened Struts versions.
Backward compatibility
No issues expected when upgrading to OGNL or Struts version.
Workaround
Not possible except upgrading OGNL as mentioned aboveImplement your own version of clean up method which will throw an exception.