Home > Security Bulletins > S2-044

Summary

Possible DoS attack when using URLValidator

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack when using URLValidator

Maximum security rating

Low

Recommendation

Upgrade to Struts 2.5.8

Affected Software

Struts 2.5 - Struts 2.5.5

Reporter

 Jonathan Bullock <jonbullock at gmail dot com>

CVE Identifier

CVE-2016-8738

Problem

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Solution

Upgrade to Apache Struts version 2.5.8.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Trim passed value before assigning it to a field, e.g.

public String setUserUrl(String userUrl) {
    this.userUrl = userUrl.trim();
}