Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)

Summary

Apache Struts is used by IBM Call Center as part of its web application framework used for creating Java EE web applications. It is vulnerable to various CVEs, listed below. We recommend upgrading to the latest supported version of Struts that was released as part of the latest FixPack 12.

Vulnerability Details

CVEID:CVE-2011-1772
**DESCRIPTION:**Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/67354 for the current score.
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-0838
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/73690 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-7809
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass cross-site request forgery security measures.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/98963 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2011-5057
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to block access to the session map by the org.apache.struts2.interceptor.SessionAware or org.apache.struts2.interceptor.RequestAware interfaces. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to modify the session map.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/71654 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-4387
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/78183 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2012-1006
**DESCRIPTION:**Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the editPerson.action and struts2-rest-showcase/orders scripts. A remote attacker could exploit this vulnerability using the name, lastName or clientNape parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72888 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-0392
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72088 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-0094
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92205 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2019-0233
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2013-1965
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85573 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-0112
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92740 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-2134
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84762 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2016-3081
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/112528 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2014-0113
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92742 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-2135
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84763 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2019-0230
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186702 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2013-4316
**DESCRIPTION:**An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/87373 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID:CVE-2012-0391
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72229 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-0393
**DESCRIPTION:**Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72089 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-4386
**DESCRIPTION:**Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of the token name configuration parameter by the token handling mechanism. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/78182 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2016-4003
**DESCRIPTION:**Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/111514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2016-3093
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/113686 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2013-4310
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the action: parameter prefix. An attacker could exploit this vulnerability to gain unauthorized access to the system.
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/87336 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID:CVE-2014-0116
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly restrict access to the getClass() method by the CookieInterceptor class. An attacker could exploit this vulnerability to manipulate the ClassLoader used by the application server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93024 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2010-1870
**DESCRIPTION:**XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/60371 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2020-17530
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192743 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2016-3082
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/112527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2016-4436
**DESCRIPTION:**An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/114183 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2013-2251
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating the action:, redirect:, and redirectAction: parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary commands on the system. Note: This vulnerability affects other products.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85756 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2017-12611
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/131603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2015-5209
**DESCRIPTION:**Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106695 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2013-2115
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84543 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-1966
**DESCRIPTION:**Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84542 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-2248
**DESCRIPTION:**Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85755 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2015-2992
**DESCRIPTION:**Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when directly accessing JSP files. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106172 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2015-5169
**DESCRIPTION:**Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/105879 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Call Center version 10 and if you are running IBM Call Center version 9.5 a product upgrade must be completed first. IBM Call Center version 9.5 reached end of support April 30, 2022.

Call Center installing Fix Pack 12 - <https://www.ibm.com/docs/en/call-center/10.0?topic=center-installing-fix-packs&gt;

Fix Pack 12 download location - https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-ISCCS-All-fp12-Installer&product=ibm%2FOther%20software%2FIBM%20Call%20Center%20for%20Commerce&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling&function=fixId&parent=ibm/Other%20software

IBM Call Center release notes - <https://www.ibm.com/docs/en/call-center/10.0?topic=center-fixes-by-fix-pack-version#fp12&gt;

Creating & Extending Struts - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=cesf-creating-extending-struts-xml-file-in-web-ui-framework&gt;

Workarounds and Mitigations

BM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Call Center version 10 and if you are running IBM Call Center version 9.5 a product upgrade must be completed first. IBM Call Center version 9.5 reached end of support April 30, 2022.