Red Hat Bugzilla – Bug 853827
CVE-2012-4387 struts2: Long parameter name DoS
Last modified: 2014-10-20 20:03:20 EDT
Apache Struts2 treats HTTP request parameters as OGNL expressions. A remote attacker could exploit this by providing extremely long parameter names, which would take a long time to evaluate as OGNL expressions, leading to denial of service by CPU exhaustion. Struts 2.0.0 to Struts 2.3.4 is affected by this flaw. It is resolved in Struts 22.214.171.124 by limiting parameter name length to 100 characters by default. This setting can be configured using the "paramNameMaxLength" parameter in the ParametersInteceptor configuration.
Not Vulnerable. This issue only affects struts 2, it does not affect the
versions of struts as shipped with various Red Hat products.