[Japanese]

JVNDB-2016-000096

Apache Struts 1 vulnerability that allows unintended remote operations against components on memory

Overview

The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met:

Condition 1:
When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance
* ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses)
* ValidatingActionForm
* ValidatorForm
* ValidatorActionForm

Condition 2:
Can process multi-part requests
(This condition applies whether or not the web application uses multi-part forms)
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 8.1 (High) [IPA Score]
  • Access Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Apache Software Foundation
  • Apache Struts versions 1.0 through 1.3.10

Impact

Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur.
Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.
Solution

As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.
Vendor Information

Apache Software Foundation Oracle Corporation Ricoh Co., Ltd Red Hat, Inc. NTT DATA NEC Corporation
  • NEC Security Information : NV16-013 (in Japanese)
FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1181
References

  1. JVN : JVN#03188560
  2. JVN : JVNVU#91417143
  3. National Vulnerability Database (NVD) : CVE-2016-1181
  4. Related document : Fixed CVE-2016-1181 and CVE-2016-1182
Revision History

[2016/06/07]
  Web page was published
[2016/07/27]
  Vendor Information : Contents were added
  References : Content was added
[2016/08/04]
  Vendor Information : Contents were added
  References : Contents were added
[2016/11/22]
  Vendor Information : Contents were added
[2017/02/20]
  References : Content was added