...
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | A Possible DoS attack is available for Spring secured actionswhen using URLValidator |
Maximum security rating | Low |
Recommendation | Upgrade to Struts 2.5.13 or Struts 2.3.34 |
Affected Software | Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 |
Reporter | Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at gmail dot com> |
CVE Identifier | CVE-2017-9804 |
...
No backward incompatibility issues are expected.
Workaround
Please define the below constant in a struts.xml fileInstead of using the default RegEx provided by the UrlValidator you can use the below one:
| Code Block |
|---|
"^(?:https?|ftp):\\/\\/" +
"(?:(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+" +
"(?::(?:[a-z0-9$_.+!*'(),;?&=\\-]|%[0-9a-f]{2})+)?" +
"@)?#?" +
"(?:(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)*" +
"[a-z][a-z0-9-]*[a-z0-9]" +
"|(?:(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])\\.){3}" +
"(?:[1-9]?\\d|1\\d{2}|2[0-4]\\d|25[0-5])" +
")(?::\\d+)?" +
")(?:(?:\\/(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)*" +
"(?:\\?(?:[a-z0-9$_.+!*'(),;:@&=\\-\\/:]|%[0-9a-f]{2})*)?)?" +
"(?:#(?:[a-z0-9$_.+!*'(),;:@&=\\-]|%[0-9a-f]{2})*)?" +
"$" |
...