CVE-2017-9787 : When using a Spring AOP functionality to secure Struts actions it is possible to

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Published 2017-07-13 15:29:00

Updated 2019-10-03 00:03:26

Source Apache Software Foundation

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2017-9787

Apache » Struts » Version: 2.3.14.3
cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.8
cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.7
cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.15
cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.14.1
cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.14
cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.12
cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.14.2
cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.15.1
cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.15.3
cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.16
cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.16.1
cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.16.2
cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.15.2
cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.16.3
cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.20
cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.11
cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.20.1
cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.13
cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.20.2
cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.21
cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.24
cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.9
cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.10
cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.17
cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.19
cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.22
cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.23
cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.24.1
cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.20.3
cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.28
cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.24.3
cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.28.1
cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5
cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.25
cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.26
cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.27
cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.29
cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.30
cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.24.2
cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.5
cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.3
cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.4
cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.1
cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.2
cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.6
cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.31
cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.3.32
cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.7
cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.9
cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.8
cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.10
cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*
Matching versions
Apache » Struts » Version: 2.5.10.1
cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-9787

EPSS FAQ

8.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 91 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-9787

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

References for CVE-2017-9787

http://www.securityfocus.com/bid/99562

Apache Struts Spring AOP Functionality Denial of Service Vulnerability
Third Party Advisory;VDB Entry
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

Oracle Security Alert CVE-2017-9805

CVEs referencing this url
http://www.securitytracker.com/id/1039115

Apache Struts Spring AOP Flaw Lets Remote Users Deny Service - SecurityTracker
http://struts.apache.org/docs/s2-049.html

S2-049 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
Vendor Advisory
https://lists.apache.org/thread.html/de3d325f0433cd3b42258b6a302c0d7a72b69eedc1480ed561d3b065@%3Cannouncements.struts.apache.org%3E

[ANN] Apache Struts: S2-049 Security Bulletin update - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E

[ANN] Apache Struts 2.5.12 GA with Security Fixes Release - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20180706-0002/

July 2017 Apache Struts Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-9787

Products affected by CVE-2017-9787

Exploit prediction scoring system (EPSS) score for CVE-2017-9787

CVSS scores for CVE-2017-9787

References for CVE-2017-9787