Vulnerability Name:

CVE-2017-15707 (CCN-135718)

Assigned:2017-12-01
Published:2017-12-01
Updated:2019-04-26
Summary:In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
CVSS v3 Severity:6.2 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-15707

Source: CCN
Type: IBM Security Bulletin 2013305 (Security Guardium)
IBM Security Guardium Database Activity Monitor is affected by a Public disclosed vulnerability from Apache Struts vulnerability (CVE-2017-15707)

Source: CCN
Type: IBM Security Bulletin 2013436 (InfoSphere Metadata Workbench)
A vulnerability in Struts affects IBM InfoSphere Metadata Workbench

Source: CONFIRM
Type: Patch
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Source: CONFIRM
Type: Patch
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: BID
Type: Third Party Advisory, VDB Entry
102021

Source: CCN
Type: BID-102021
Apache Struts CVE-2017-15707 Denial of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1039946

Source: CCN
Type: Apache Struts 2 Documentation S2-054
A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin

Source: CONFIRM
Type: Patch, Vendor Advisory
https://cwiki.apache.org/confluence/display/WW/S2-054

Source: XF
Type: UNKNOWN
apache-struts-cve201715707-dos(135718)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20171214-0001/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:struts:*:*:*:*:*:*:*:* (Version >= 2.5 and <= 2.5.14)

    • Configuration 2:
  • cpe:/a:netapp:oncommand_balance:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:global_lifecycle_management_opatchauto:*:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:6.5.11:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:15.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_portal:12.2.1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:struts:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.13:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.14:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.11:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.16:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.5.9:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:security_guardium:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.1.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.trusty:def:201715707000
    V
    		CVE-2017-15707 on Ubuntu 14.04 LTS (trusty) - untriaged.
    2017-12-01
    BACK
    apache struts *
    netapp oncommand balance -
    oracle agile plm framework 9.3.6
    oracle enterprise manager for virtualization 13.2.2
    oracle enterprise manager for virtualization 13.2.3
    oracle financial services hedge management and ifrs valuations 8.0.4
    oracle financial services hedge management and ifrs valuations 8.0.5
    oracle financial services market risk measurement and management 8.0.5
    oracle global lifecycle management opatchauto *
    oracle jd edwards enterpriseone tools 9.2
    oracle retail order broker 5.2
    oracle retail xstore point of service 6.5.11
    oracle retail xstore point of service 7.0.6
    oracle retail xstore point of service 7.1.6
    oracle retail xstore point of service 15.0.1
    oracle retail xstore point of service 16.0.2
    oracle webcenter portal 12.2.1.2.0
    oracle webcenter portal 12.2.1.3.0
    oracle weblogic server 12.2.1.2
    oracle weblogic server 12.2.1.3
    apache struts 2.5
    apache struts 2.5.5
    apache struts 2.5.1
    apache struts 2.5.2
    apache struts 2.5.13
    apache struts 2.5.14
    apache struts 2.3.10
    apache struts 2.3.11
    apache struts 2.5.16
    apache struts 2.5.4
    apache struts 2.5.6
    apache struts 2.5.7
    apache struts 2.5.9
    ibm security guardium 10.0
    ibm security guardium 10.0.1
    ibm security guardium 10.1
    ibm security guardium 10.1.2
    ibm security guardium 10.1.3
    ibm security guardium 10.1.4