K13434228 : Apache Struts vulnerability CVE-2012-0392

2020-12-1100:00:00

my.f5.com

9.7 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.971 High

EPSS

Percentile

99.7%

JSON

Security Advisory Description

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. (CVE-2012-0392)

Impact

No F5 products are affected by this vulnerability in default, standard, or recommended configurations. BIG-IP AAM is affected by this vulnerability only if the Apache Struts configuration is deliberately configured to enable Developer Mode (devMode). devMode is disabled by default on BIG-IP AAM. BIG-IP AAM 16.0.0 and later are not vulnerable regardless of the Apache Struts configuration.

CPENameOperatorVersion
big-iq centralized managementeq5.4.0
big-iq centralized managementeq6.0.0
big-iq centralized managementeq6.0.1
big-iq centralized managementeq6.1.0
big-iq centralized managementeq7.0.0
big-iq centralized managementeq7.1.0
big-ip gtmeq11.6.1
big-ip gtmeq11.6.2
big-ip gtmeq11.6.3
big-ip gtmeq11.6.4

Name	Operator	Version
big-iq centralized management	eq	5.4.0
big-iq centralized management	eq	6.0.0
big-iq centralized management	eq	6.0.1
big-iq centralized management	eq	6.1.0
big-iq centralized management	eq	7.0.0
big-iq centralized management	eq	7.1.0
big-ip gtm	eq	11.6.1
big-ip gtm	eq	11.6.2
big-ip gtm	eq	11.6.3
big-ip gtm	eq	11.6.4