Summary
A DoS attack is available for Spring secured actionsWho should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | A DoS attack is available for Spring secured actions |
Maximum security rating | Medium |
Recommendation | Upgrade to Struts 2.5.12 |
Affected Software | Struts 2.5 - Struts 2.5.10.1 |
Reporter | Yasser Zamani <yasser dot zamani at live dot com> |
CVE Identifier | CVE-2017-9787 |
Problem
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack when user was properly authenticated
Solution
Upgrade to Apache Struts version 2.5.12.
Backward compatibility
No backward incompatibility issues are expected.
Workaround
Please define the below constant in a struts.xml file:
<constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." />