Home > Security Bulletins > S2-047

Summary

Possible DoS attack when using URLValidator (similar to S2-044)

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack when using URLValidator

Maximum security rating

Low

Recommendation

Upgrade to Struts 2.5.12

Affected Software

Struts 2.5 - Struts 2.5.10.1

Reporter

Jonathan Bullock <jonbullock at gmail dot com>

CVE Identifier

CVE-2017-7672

Problem

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Solution

Upgrade to Apache Struts version 2.5.12.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Instead of using the default RegEx provided by the UrlValidator you can use the below one:

"^(https?|ftp):\\/\\/" +
"(([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+" +
"(:([a-z0-9$_\\.\\+!\\*\\'\\(\\),;\\?&=-]|%[0-9a-f]{2})+)?" +
"@)?(#?" +
")((([a-z0-9]\\.|[a-z0-9][a-z0-9-]*[a-z0-9]\\.)*" +
"[a-z][a-z0-9-]*[a-z0-9]" +
"|((\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5])\\.){3}" +
"(\\d|[1-9]\\d|1\\d{2}|2[0-4][0-9]|25[0-5])" +
")(:\\d+)?" +
")(((\\/{0,1}([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)*" +
"(\\?([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)" +
"?)?)?" +
"(#([a-z0-9$_\\.\\+!\\*\\'\\(\\),;:@&=-]|%[0-9a-f]{2})*)?" +
"$";