製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache Struts 2 の REST プラグインにおけるサービス運用妨害 (DoS) の脆弱性

Title	Apache Struts 2 の REST プラグインにおけるサービス運用妨害 (DoS) の脆弱性
Summary	Apache Struts 2 の REST プラグインは、旧式の JSON-lib ライブラリを使用するため、サービス運用妨害 (DoS) 状態にされる脆弱性が存在します。
Possible impacts	巧妙に細工された JSON ペイロードを伴う悪意のあるリクエストを介して、サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 1, 2017, midnight
Registration Date	Dec. 20, 2017, 1:47 p.m.
Last Update	Dec. 20, 2017, 1:47 p.m.

Affected System

Apache Software Foundation

Apache Struts 2.5.14 までの 2.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-15707	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15707
National Vulnerability Database (NVD)
2	CVE-2017-15707	https://nvd.nist.gov/vuln/detail/CVE-2017-15707

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Apache Struts 2 Documentation
1	S2-054	https://cwiki.apache.org/confluence/display/WW/S2-054
NetApp Advisory
2	NTAP-20171214-0001	https://security.netapp.com/advisory/ntap-20171214-0001/

その他

No	Name	URL
関連文書
1	Apache Struts CVE-2017-15707 Denial of Service Vulnerability	https://www.securityfocus.com/bid/102021

Change Log

No	Changed Details	Date of change
0	[2017年12月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-15707

Summary	In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Publication Date	Dec. 2, 2017, 1:29 a.m.
Registration Date	Jan. 26, 2021, 1:17 p.m.
Last Update	Nov. 21, 2024, 12:15 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:struts::::::::		2.5	2.5.14

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:netapp:oncommand_balance:-:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:oracle:weblogic_server:12.2.1.2:::::::*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:6.5.11:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:::::::*
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.2.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.2:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.2:::::::*
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:::::::*
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:::::::*
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:::::::*
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:::::::*
cpe:2.3:a:oracle:global_lifecycle_management_opatchauto::::::::
cpe:2.3:a:oracle:agile_plm_framework:9.3.6:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch
2	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch
3	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch
4	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch
5	http://www.securityfocus.com/bid/102021	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/102021	Third Party Advisory VDB Entry
7	http://www.securitytracker.com/id/1039946	Third Party Advisory VDB Entry
8	http://www.securitytracker.com/id/1039946	Third Party Advisory VDB Entry
9	https://cwiki.apache.org/confluence/display/WW/S2-054	Patch Vendor Advisory
10	https://cwiki.apache.org/confluence/display/WW/S2-054	Patch Vendor Advisory
11	https://security.netapp.com/advisory/ntap-20171214-0001/	Third Party Advisory
12	https://security.netapp.com/advisory/ntap-20171214-0001/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:oracle:weblogic_server:12.2.1.2:::::::*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:6.5.11:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:::::::*
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.2.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.2:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.2:::::::*
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:::::::*
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:::::::*
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:::::::*
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:::::::*
cpe:2.3:a:oracle:global_lifecycle_management_opatchauto::::::::
cpe:2.3:a:oracle:agile_plm_framework:9.3.6:::::::*