JVNDB-2016-000096

[Japanese]
JVNDB-2016-000096
Apache Struts 1 vulnerability that allows unintended remote operations against components on memory
Overview
The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met: Condition 1: When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance * ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses) * ValidatingActionForm * ValidatorForm * ValidatorActionForm Condition 2: Can process multi-part requests (This condition applies whether or not the web application uses multi-part forms)
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 8.1 (High) [IPA Score] Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

Apache Software Foundation Apache Struts versions 1.0 through 1.3.10

Impact
Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur. Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.
Solution
As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL). For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.
Vendor Information
Apache Software Foundation Apache Software Foundation : Apache Struts 1 End-Of-Life (EOL) Announcement Oracle Corporation Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2016 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2016 Risk Matrices Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2016 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices SECURITY BLOG : July 2016 Critical Patch Update Released SECURITY BLOG : October 2016 Critical Patch Update Released Ricoh Co., Ltd JVN : Information from RICOH COMPANY, LTD. Red Hat, Inc. Red Hat Bugzilla : Bug 1343538 NTT DATA NTT DATA Corporation : TERASOLUNA Framework (in Japanese) NEC Corporation NEC Security Information : NV16-013 (in Japanese) FUJITSU FUJITSU : CVE-2016-1181(JVN#03188560)
CWE (What is CWE?)
No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2016-1181
References
JVN : JVN#03188560 JVN : JVNVU#91417143 National Vulnerability Database (NVD) : CVE-2016-1181 Related document : Fixed CVE-2016-1181 and CVE-2016-1182
Revision History
[2016/06/07] Web page was published [2016/07/27] Vendor Information : Contents were added References : Content was added [2016/08/04] Vendor Information : Contents were added References : Contents were added [2016/11/22] Vendor Information : Contents were added [2017/02/20] References : Content was added


Date Public	2016/06/07
Date First Published	2016/06/07
Date Last Updated	2017/02/20

Apache Struts 1 vulnerability that allows unintended remote operations against components on memory