JVNDB-2015-000042

The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass

The TERASOLUNA Server Framework for Java(WEB) provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for Java(WEB) is vulnerable to an issue contained in the Apache Struts 1 Validator, since it uses Apache Struts 1.2.9.

The Validator in Apache Struts 1.1 and later contains a function (MPV -- Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions.
The MPV contains a vulnerability where input validation may be bypassed.
When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.

NTT DATA

• TERASOLUNA Server Framework for Java(Web) versions 2.0.0.1 through 2.0.5.2

For more information, refer to the information provided by the developer.

Input validation being bypassed may result in invalid data being entered into the database. Affects of the vulnerability depend on the application.

[Apply an Update]
Update to the latest version according to the information provided by the developer.

On March 24, 2015, TERASOLUNA Server Framework for Java(Web) 2.0.5.3 which includes Apache Struts 1.2.9 with SP2 by TERASOLUNA was released to address this vulnerability.
According to NTT Data Corporation, they have also released Apache Struts 1.2.9 with SP2 by TERASOLUNA separately to address this vulnerability.

NTT DATA

• NTT DATA Corporation : TERASOLUNA Framework (in Japanese)
• NTT DATA Corporation : Apache Struts 1.2.9 with SP2 by TERASOLUNA

1. Improper Input Validation(CWE-20) [IPA Evaluation]

1. CVE-2015-0899

1. JVN : JVN#86448949
2. National Vulnerability Database (NVD) : CVE-2015-0899

• [2015/03/24]
    Web page was published
  [2015/04/10]
    Overview was modified
  [2016/08/26]
    References : Content was added