Apache Struts URLValidator class Denial of Service Vulnerability (CVE-2016-4465)
Apache Struts URLValidator class Denial of Service Vulnerability (CVE-2016-4465)
Release date:
Updated on:
Affected Systems:
Apache Group Struts2 2.5.x < 2.5.1
Apache Group Struts2 2.3.20 - 2.3.28.1
Description:
CVE (CAN) ID: CVE-2016-4465
Struts2 is an extensible framework for building enterprise-level Jave Web applications.
Apache Struts 2 2.3.20-2.3.28.1, 2.5.x <2.5.1, URLValidator has a security vulnerability. Remote attackers can use a null value in the URL field to cause DOS.
<* Source: ASAI Ken tc535mr2
Link: https://struts.apache.org/docs/s2-041.html
*>
Suggestion:
Temporary solution:
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
* As described below, RegEx used by URLValidator is redefined
<Validator type = "url">
<Param name = "fieldName"> myHomePage </param>
<Param name = "urlRegex"> ^ (https? | Ftp): \/([a-z0-9 $ _ \. \ +! \\*\\'\\(\\),;\\? & =-] | % [0-9a-f] {2}) + ([a-z0-9 $ _ \. \ +! \\*\\'\\(\\),;\\? & =-] | % [0-9a-f] {2}) + )? @)? (#?) ([A-z0-9] \. | [a-z0-9] [a-z0-9-] * [a-z0-9] \.) * [a-z] [a-z0-9-] * [a-z0-9] | (\ d | [1-9] \ d | 1 \ d {2} | 2 [0-4] [0-9] | 25 [0-5]) \\.) {3} (\ d | [1-9] \ d | 1 \ d {2} | 2 [0-4] [0-9] | 25 [0 -5]) (: \ d + )?) (\/{0, 1} ([a-z0-9 $ _ \. \ +! \ * \ '\ (\),;: @ & =-] | % [0-9a-f] {2 })*)*(\\? ([A-z0-9 $ _ \. \ +! \ * \ '\ (\),;: @ & =-] | % [0-9a-f] {2 })*)?)?)? (# ([A-z0-9 $ _ \. \ +! \ * \ '\ (\),;: @ & =-] | % [0-9a-f] {2 })*)? $ </Param>
<Message> Invalid homepage url </message>
</Validator>
Vendor patch:
Apache Group
------------
Apache Group has released a Security Bulletin (S2-041) and patches for this:
S2-041: Possible DoS attack when using URLValidator
Link: https://struts.apache.org/docs/s2-041.html
Reference link: https://bugzilla.redhat.com/show_bug.cgi? Id = 1348253
This article permanently updates the link address: