#VU8114 Denial of service in Apache Struts - CVE-2017-9804
Vulnerability identifier: #VU8114
Vulnerability risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Struts
Server applications /
Frameworks for developing and running applications
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to server process overload when performing validation of the URL. A remote attacker can supply a specially crafted URL in a form field to trigger an error in regular expression (regex) processin, consume excessive CPU resources and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Mitigation
The vulnerability is addressed in the following versions: 2.5.13 and 2.3.34.
Vulnerable software versions
Apache Struts: 2.3.7 - 2.5.12
External links
https://cwiki.apache.org/confluence/display/WW/S2-051
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
