7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Security vulnerabilities have been discovered in Apache’s Struts library
**CVE-ID:**CVE-2014-0112, CVE-2014-0094, & CVE-2014-0050
**DESCRIPTION:**FlashSystem 840 MTM 9840-AE1, and FlashSystem V840 MTMs 9846-AE1 and 9848-AE1 use the Apache Struts library. Struts is used only by the Service Assist GUI.
CVE-2014-0112 (Apache Struts ParametersInterceptor code execution)
Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS v2 Base Score: 7.5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/92740>
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVE-2014-0094
Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server.
CVSS v2 Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/92205>
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:P/A:N)
CVE-2014-0050
Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS v2 Base Score: 4.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/90987>
CVSS Vector: (AV:N/AC:H/AU:N/C:P/I:P/A:N)
_FlashSystem 840 including machine type models (all available code levels) _
9840-AE1
_FlashSystem V840 including machine type models (all available code levels) _
9846-AE1 & 9848-AE1
Products
| VRMF| APAR| Remediation/First Fix
—|—|—|—
840 MTM:
9840-AE1
V840 MTMs: 9846-AE1 &
9848-AE1| A code fix is now available, the VRMF of this code level is 1.1.2.2 (or later)| N/A| No work arounds or mitigations, other than applying this code fix, are known for this Struts vulnerability
None known
CPE | Name | Operator | Version |
---|---|---|---|
ibm flashsystem 900 | eq | any | |
ibm flashsystem software | eq | any |