|Home > Security Bulletins > S2-011|
Long request parameter names might significantly promote the effectiveness of DOS attacks
|Who should read this||All Struts 2 developers|
|Impact of vulnerability||Denial-of-Service attacks|
|Maximum security rating||Important|
|Recommendation||Developers should upgrade to Struts 18.104.22.168|
|Affected Software||Struts 2.0.0 - Struts 2.3.4|
|Original JIRA Tickets||WW-3860|
Request parameters handled by Struts 2 are effectively treated as OGNL expressions. A possible DOS attacker might craft requests to a Struts 2 based application with extremely long parameter names. OGNL evaluation of the parameter name then will consume significant CPU cycles, thus promoting the effectiveness of the DOS attack.
As of Struts 22.214.171.124, parameter name length is limited to a maximum of 100 characters. This configuration may be customized by providing the newly introduced parameter "paramNameMaxLength" to the ParametersInteceptor configuration.
Thanks to Johno Crawford for the provided patch.
Please upgrade to Struts 126.96.36.199.