Description:

Apache has released a new version of Apache Struts to address multiple vulnerabilities affecting systems that use the Struts REST plugin. A remote attacker could exploit the vulnerabilities by sending a specially crafted JSON payloads to the affected system.

Affected Systems:

• Apache Struts 2.5 to 2.5.14

Impact:

Successful exploitation of the vulnerabilities could lead to a denial-of-service (DoS) condition on an affected system.

Recommendation:

Administrators of the affected systems using Apache Struts 2.5 to 2.5.14 should upgrade the Apache Struts2 to 2.5.14.1 to address the issues. The update is available at:

• https://struts.apache.org/download.cgi

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. Details are available at:

• https://cwiki.apache.org/confluence/display/WW/S2-054
• https://cwiki.apache.org/confluence/display/WW/S2-055

More Information:

https://cwiki.apache.org/confluence/display/WW/S2-054
https://cwiki.apache.org/confluence/display/WW/S2-055
https://www.hkcert.org/my_url/en/alert/17120401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15707