Security Bulletin: Order Management could be subject to an Apache Struts vulnerability that could allow a remote attacker to execute arbitrary code on the system.

Summary

Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2013-2115, CVE-2013-4316, CVE-2014-0112, CVE-2014-0113, CVE-2015-5209, CVE-2016-3082, CVE-2016-4436, CVE-2017-12611, CVE-2019-0230, CVE-2019-0233, CVE-2020-17530, CVE-2021-31805, CVE-2010-1870, CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0838, CVE-2012-4387, CVE-2013-1965, CVE-2013-1966, CVE-2013-2134, CVE-2013-2135, CVE-2013-2248, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2013-2115
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84543 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-4316
**DESCRIPTION:**An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/87373 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID:CVE-2014-0112
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92740 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-0113
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92742 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2015-5209
**DESCRIPTION:**Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106695 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2016-3082
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/112527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-4436
**DESCRIPTION:**An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/114183 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2017-12611
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/131603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-0230
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186702 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-0233
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-17530
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192743 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-31805
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a double evaluation of tag attributes. By forcing OGNL evaluation of specially-crafted data using the %{…} syntax, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2010-1870
**DESCRIPTION:**XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/60371 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-0391
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72229 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-0392
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72088 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-0393
**DESCRIPTION:**Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72089 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-0838
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/73690 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-4387
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/78183 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2013-1965
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85573 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-1966
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84542 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-2134
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84762 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-2135
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84763 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-2248
**DESCRIPTION:**Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85755 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Remediation/Fixes

Please find release notes and fixes - <https://www.ibm.com/docs/en/order-management?topic=updating-resolved-issues&gt;

Container download- <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=operator-obtaining-container-images-from-entitled-registry&gt;
On-Prem: <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=installing-applying-fix-packs&gt;

Workarounds and Mitigations

None