JVNDB-2013-003469

[Japanese]
JVNDB-2013-003469
Apache Struts vulnerable to remote command execution
Overview
Apache Struts contains a remote command execution vulnerability. Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability. This issue is the same issue that the developer published as S2-016 on July 16, 2013 Note that attacks leveraging this vulnerability have been confirmed. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

Apache Software Foundation Apache Struts 2.0.0 through 2.3.15 Oracle Corporation MySQL Enterprise Monitor 2.3.13 and earlier Oracle Financial Services Software (Oracle FLEXCUBE Private Banking) 1.7 Oracle Financial Services Software (Oracle FLEXCUBE Private Banking) 12.0.1 Oracle Financial Services Software (Oracle FLEXCUBE Private Banking) 2.0 Oracle Financial Services Software (Oracle FLEXCUBE Private Banking) 2.0.1 Oracle Financial Services Software (Oracle FLEXCUBE Private Banking) 2.2.0.1 Oracle Financial Services Software (Oracle FLEXCUBE Private Banking) 3.0
Fujitsu Interstage Business Process Manager Analytics uses the Apache Struts 2. For more information, please refer to the FUJITSU Security Information (in Japanese).
Impact
An arbitrary command may be executed on the server where Apache Struts resides.
Solution
[Apply an Update] Update to the latest version according to the information provided by the developer.
Vendor Information
Apache Software Foundation Apache Software Foundation : S2-016 Apache Software Foundation : Struts 2.3.15.1 Apache Software Foundation : CVE-2013-2251: Apache Archiva Remote Command Execution IBM Corporation IBM Support Document : 1667890 Oracle Corporation Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2013 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2013 Risk Matrices Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2015 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices SECURITY BLOG : October 2013 Critical Patch Update Released SECURITY BLOG : July 2015 Critical Patch Update Released Cisco Systems, Inc. Cisco Security Advisory : cisco-sa-20131023-struts2 Vulnerability Alert : 30128 FUJITSU FUJITSU Security Information : Interstage Business Process Manager Analytics: Vulnerable to arbitrary code execution (CVE-2013-2248, CVE-2013-2251)(2013/09/04) (in Japanese)
CWE (What is CWE?)
Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)
CVE-2013-2251
References
JVN : JVN#33504150 National Vulnerability Database (NVD) : CVE-2013-2251 JPCERT REPORT : JPCERT-AT-2013-0033
Revision History
[2013/09/06] Web page was published [2013/10/23] Affected Products : Products were added Vendor Information : Contents were added [2013/11/12] Vendor Information : Contents were added [2015/07/29] Vendor Information : Contents were added [2015/08/11] Vendor Information : Content was added


Date Public	2013/07/09
Date First Published	2013/09/06
Date Last Updated	2015/08/11

Apache Struts vulnerable to remote command execution