===================================================================== CERT-Renater Note d'Information No. 2023/VULN224 _____________________________________________________________________ DATE : 14/06/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Struts versions prior to 2.5.31, 6.1.2.1. ===================================================================== https://cwiki.apache.org/confluence/display/WW/S2-064 https://cwiki.apache.org/confluence/display/WW/S2-063 _____________________________________________________________________ Summary DoS via OOM owing to no sanity limit on normal form fields in multipart forms. Who should read this All Struts 2 developers and users Impact of vulnerability Denial of Service Maximum security rating Important Recommendation Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Affected Software Struts 2.0.0 - Struts 6.1.2 Reporters Matthew McClain CVE Identifier CVE-2023-34396 Problem When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Solution Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. Backward compatibility No issues expected when upgrading to Struts 2.5.31 or 6.1.2.1 Workaround Set struts.multipart.maxSize to a value much much smaller than the available memory. _____________________________________________________________________ Summary DoS via OOM owing to not properly checking of list bounds. Who should read this All Struts 2 developers and users Impact of vulnerability Denial of Service Maximum security rating Important Recommendation Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Affected Software Struts 2.0.0 - Struts 6.1.2 Reporters Matthew McClain CVE Identifier CVE-2023-34149 Problem WW-4620 added autoGrowCollectionLimit to XWorkListPropertyAccessor, but it only handles setProperty() and not getProperty(). This could lead to OOM if developer has set CreateIfNull to true for the underlying Collection type field. Solution Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. Backward compatibility No issues expected when upgrading to Struts 2.5.31 or 6.1.2.1 Workaround Set CreateIfNull to false for Collection type fields (it's by default false if it's not set). ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================