[Japanese]

JVNDB-2012-000012

Apache Struts 2 vulnerable to an arbitrary Java method execution

Overview

Apache Struts 2 contains an arbitrary Java method execution vulnerability.

Apache Struts 2 is a framework to create Java web applications. Apache Struts 2 contains an arbitrary Java method execution vulnerability due to improper conversion in OGNL expression if a non-string property is contained in action.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Apache Software Foundation
  • Apache Struts 2.0.x
  • Apache Struts versions prior to 2.2.3

Impact

If a remote attacker sends a malformed request parameter to a vulnerable system, an arbitrary Java method may be executed. As a result, information such as environment variables may be disclosed, a denial-of-service (DoS) attack may be conducted, or an arbitrary OS command may be executed.
Solution

[Update the Software]
Apply the latest version according to the information provided by the developer.
The fix for this issue was contained in Apache Struts 2.2.3.1 released on September 2011.

According to the developer, Apache Struts 2.0.x is no longer supported, thus it is strongly recommended that users should upgrade to Apache Struts 2.3.x.
Vendor Information

Apache Software Foundation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-0838
References

  1. JVN : JVN#79099262
  2. National Vulnerability Database (NVD) : CVE-2012-0838
Revision History

[2012/02/10]
  Web page was published.