Bug 985817 (CVE-2016-4465) - VUL-0: CVE-2016-4465: struts: Possible DoS attack when using URLValidator
Summary: VUL-0: CVE-2016-4465: struts: Possible DoS attack when using URLValidator
Status: RESOLVED INVALID
Alias: CVE-2016-4465
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Tomáš Chvátal
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170363/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-21 07:55 UTC by Marcus Meissner
Modified: 2016-06-21 07:56 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-21 07:55:46 UTC 
https://struts.apache.org/docs/s2-041.html

Summary
Possible DoS attack when using URLValidator

Who should read this
	

All Struts 2 developers and users

Impact of vulnerability
	

Possible DoS attack when using URLValidator

Maximum security rating
	

Low

Recommendation
	

Upgrade to Struts 2.3.29 or Struts 2.5.1

Affected Software
	

Struts 2.3.20 - Struts Struts 2.3.28.1 and Struts 2.5

Reporter
	

ASAI Ken tc535mr2 at gmail dot com

CVE Identifier
	

CVE-2016-4465
Problem

If an application allows enter na URL field in a form and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Solution

Upgrade to Apache Struts version 2.3.29 or 2.5.1.
Backward compatibility

No backward incompatibility issues are expected.
Comment 1 Marcus Meissner 2016-06-21 07:56:11 UTC 
this affects struts 2, we only ship struts 1