|Home > Security Bulletins > S2-011|
Long request parameter names might significantly promote the effectiveness of DOS attacks
Who should read this
All Struts 2 developers
Impact of vulnerability
Maximum security rating
Developers should upgrade to Struts 18.104.22.168
Struts 2.0.0 - Struts 2.3.4
Original JIRA Tickets
Request parameters handled by Struts 2 are effectively treated as OGNL expressions. A possible DOS attacker might craft requests to a Struts 2 based application with extremely long parameter names. OGNL evaluation of the parameter name then will consume significant CPU cycles, thus promoting the effectiveness of the DOS attack.
As of Struts 22.214.171.124, parameter name length is limited to a maximum of 100 characters. This configuration may be customized by providing the newly introduced parameter "paramNameMaxLength" to the ParametersInteceptor configuration.
Thanks to Johno Crawford for the provided patch.
Please upgrade to Struts 126.96.36.199.