CVE-2017-15707: Input Validation
First published: Fri Dec 01 2017(Updated: )
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Struts 2 | >=2.5<=2.5.14 | |
| NetApp OnCommand Balance | ||
| Oracle Agile Product Lifecycle Management Framework | =9.3.6 | |
| Oracle Enterprise Manager for Virtualization | =13.2.2 | |
| Oracle Enterprise Manager for Virtualization | =13.2.3 | |
| Oracle Financial Services Hedge Management and IFRS Valuations | =8.0.4 | |
| Oracle Financial Services Hedge Management and IFRS Valuations | =8.0.5 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.5 | |
| Oracle Global Lifecycle Management OPatchAuto | ||
| Oracle JD Edwards EnterpriseOne Tools | =9.2 | |
| Oracle Retail Order Broker | =5.2 | |
| Oracle Retail Xstore Office Cloud Service | =6.5.11 | |
| Oracle Retail Xstore Office Cloud Service | =7.0.6 | |
| Oracle Retail Xstore Office Cloud Service | =7.1.6 | |
| Oracle Retail Xstore Office Cloud Service | =15.0.1 | |
| Oracle Retail Xstore Office Cloud Service | =16.0.2 | |
| Oracle WebCenter Portal | =12.2.1.2.0 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.2 | |
| Oracle WebLogic Server | =12.2.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/102021
- http://www.securitytracker.com/id/1039946
- https://cwiki.apache.org/confluence/display/WW/S2-054
- https://security.netapp.com/advisory/ntap-20171214-0001/
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2017-15707.
What is the title of this vulnerability?
The title of this vulnerability is "In Apache Struts 2.5 to 2.5.14 the REST Plugin is using an outdated JSON-lib library which is vulnerable to a DoS attack."
What is the severity level of CVE-2017-15707?
The severity level of CVE-2017-15707 is medium.
What software is affected by this vulnerability?
The software affected by this vulnerability includes Apache Struts, NetApp OnCommand Balance, Oracle Agile PLM Framework, Oracle Enterprise Manager For Virtualization, Oracle Financial Services Hedge Management and IFRS Valuations, Oracle Financial Services Market Risk Measurement and Management, Oracle Global Lifecycle Management Opatchauto, Oracle Jd Edwards Enterpriseone Tools, Oracle Retail Order Broker, Oracle Retail Xstore Point of Service, Oracle WebCenter Portal, and Oracle WebLogic Server.
How can I fix CVE-2017-15707?
You can fix CVE-2017-15707 by updating Apache Struts to a version higher than 2.5.14.
- agent/references
- agent/type
- agent/severity
- agent/author
- agent/weakness
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache struts 2
- version/apache struts 2/2.5
- version/apache struts 2/2.5.14
- vendor/netapp
- canonical/netapp oncommand balance
- vendor/oracle
- canonical/oracle agile product lifecycle management framework
- version/oracle agile product lifecycle management framework/9.3.6
- canonical/oracle enterprise manager for virtualization
- version/oracle enterprise manager for virtualization/13.2.2
- version/oracle enterprise manager for virtualization/13.2.3
- canonical/oracle financial services hedge management and ifrs valuations
- version/oracle financial services hedge management and ifrs valuations/8.0.4
- version/oracle financial services hedge management and ifrs valuations/8.0.5
- canonical/oracle financial services market risk measurement and management
- version/oracle financial services market risk measurement and management/8.0.5
- canonical/oracle global lifecycle management opatchauto
- canonical/oracle jd edwards enterpriseone tools
- version/oracle jd edwards enterpriseone tools/9.2
- canonical/oracle retail order broker
- version/oracle retail order broker/5.2
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/6.5.11
- version/oracle retail xstore office cloud service/7.0.6
- version/oracle retail xstore office cloud service/7.1.6
- version/oracle retail xstore office cloud service/15.0.1
- version/oracle retail xstore office cloud service/16.0.2
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.2.0
- version/oracle webcenter portal/12.2.1.3.0
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.2
- version/oracle weblogic server/12.2.1.3