Published on: 04 December 2017
Apache has released a new version of Apache Struts to address multiple vulnerabilities affecting systems that use the Struts REST plugin. A remote attacker could exploit the vulnerabilities by sending a specially crafted JSON payloads to the affected system.
Successful exploitation of the vulnerabilities could lead to a denial-of-service (DoS) condition on an affected system.
Administrators of the affected systems using Apache Struts 2.5 to 2.5.14 should upgrade the Apache Struts2 to 2.5.14.1 to address the issues. The update is available at:
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. Details are available at:
https://cwiki.apache.org/confluence/display/WW/S2-054
https://cwiki.apache.org/confluence/display/WW/S2-055
https://www.hkcert.org/my_url/en/alert/17120401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15707