If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache struts 2.5.2 |
||
apache struts 2.5.10 |
||
apache struts 2.5.1 |
||
apache struts 2.5 |
||
apache struts 2.5.5 |
||
apache struts 2.5.10.1 |
||
apache struts 2.5.8 |
Big Red issues out-of-band patch for Apache and a few other urgent issues
Oracle has stepped outside its usual quarterly security fix cycle to address the latest Apache Struts 2 vulnerability. Ever since it emerged at the start of September, CVE-2017-9805 has been (in the words of a former Australian prime minister) “a shiver looking for a spine to crawl up”, because so many vendors use Apache to build Web interfaces and bake Struts 2 into their their Web application framework. Big Red's sprawling product set meant fixes had to be deployed across more than 20 prod...