The ExceptionDelegator component in Apache Struts before 22.214.171.124 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. ([CVE-2012-0391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>)) Impact No F5 products are affected by this vulnerability in default, standard, or recommended configurations. BIG-IP AAM is affected by this vulnerability only if the Apache Struts configuration has been deliberately configured to enable Development Mode (devMode). devMode is disabled by default on BIG-IP AAM. BIG-IP AAM 16.0.0 and later are not vulnerable, regardless of the Apache Struts configuration.
Apache Struts 126.96.36.199 Remote Command Execution
Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution
VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries
Apache Struts 2 ConversionErrorInterceptor OGNL Script Injection (CVE-2012-0391)