[Japanese]

JVNDB-2015-000042

The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass

Overview

The TERASOLUNA Server Framework for Java(WEB) provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for Java(WEB) is vulnerable to an issue contained in the Apache Struts 1 Validator, since it uses Apache Struts 1.2.9.

The Validator in Apache Struts 1.1 and later contains a function (MPV -- Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions.
The MPV contains a vulnerability where input validation may be bypassed.
When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


NTT DATA
  • TERASOLUNA Server Framework for Java(Web) versions 2.0.0.1 through 2.0.5.2

For more information, refer to the information provided by the developer.
Impact

Input validation being bypassed may result in invalid data being entered into the database. Affects of the vulnerability depend on the application.
Solution

[Apply an Update]
Update to the latest version according to the information provided by the developer.

On March 24, 2015, TERASOLUNA Server Framework for Java(Web) 2.0.5.3 which includes Apache Struts 1.2.9 with SP2 by TERASOLUNA was released to address this vulnerability.
According to NTT Data Corporation, they have also released Apache Struts 1.2.9 with SP2 by TERASOLUNA separately to address this vulnerability.
Vendor Information

NTT DATA
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-0899
References

  1. JVN : JVN#86448949
  2. National Vulnerability Database (NVD) : CVE-2015-0899
Revision History

[2015/03/24]
  Web page was published
[2015/04/10]
  Overview was modified
[2016/08/26]
  References : Content was added