|CERT-In Vulnerability Note
Multiple Vulnerabilities in Apache Struts2
Original Issue Date:September 11, 2017
Severity Rating: MEDIUM
- Apache Struts version 2.1.2 to 2.3.33
- Apache Struts version 2.5 to 2.5.12
Multiple vulnerabilities have been reported in Apache Struts 2 which could be exploited by a remote attacker to execute arbitrary code and cause a denial of service (DoS) condition on the target system.
1. Denial of Service Vulnerability
This vulnerability exists in Apache Struts 2 due to insufficient validation of user-supplied input in URLValidator feature. An attacker could exploit this vulnerability by sending a specially crafted URL in a form field of an application.
Successful exploitation of this vulnerability could allow a remote attacker to conduct denial of service (DoS) condition on the target system.
2. Arbitrary Code Execution Vulnerability
This vulnerability exists in Apache Struts 2 due to the improper deserialization of XML requests by the REST(Representational State Transfer) plug-in with the XStream handler. An attacker could exploit this vulnerability by sending crafted XML content to a targeted system.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on target system.
Apply appropriate fix as mentioned in the following link:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003