Headline
CVE-2023-34149: S2-063 - Apache Struts 2 Wiki
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Summary
DoS via OOM owing to not properly checking of list bounds.
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Denial of Service
Maximum security rating
Important
Recommendation
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
Affected Software
Struts 2.0.0 - Struts 6.1.2
Reporters
Matthew McClain
CVE Identifier
CVE-2023-34149
Problem
WW-4620 added autoGrowCollectionLimit to XWorkListPropertyAccessor, but it only handles setProperty() and not getProperty(). This could lead to OOM if developer has set CreateIfNull to true for the underlying Collection type field.
Solution
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Backward compatibility
No issues expected when upgrading to Struts 2.5.31 or 6.1.2.1
Workaround
Set CreateIfNull to false for Collection type fields (it’s by default false if it’s not set).
Related news
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138
Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.