7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Security vulnerabilities have been discovered in Apache’s Struts library
**CVE-ID:**CVE-2014-0112, CVE-2014-0094, & CVE-2014-0050
**DESCRIPTION:**FlashSystem V840-AE1 uses the Apache Struts library. Struts is used only by the Service Assist GUI.
CVE-2014-0112 (Apache Struts ParametersInterceptor code execution)
Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS v2 Base Score: 7.5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/92740>
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVE-2014-0094
Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server.
CVSS v2 Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/92205>
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:P/A:N)
CVE-2014-0050
Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS v2 Base Score: 4.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/90987>
CVSS Vector: (AV:N/AC:H/AU:N/C:P/I:P/A:N)
_FlashSystem V840 including machine type models (all available code levels) _
9846-AE1 & 9848-AE1
Products
| VRMF| APAR| Remediation/First Fix
—|—|—|—
9846-AE1,
9848-AE1,| A code fix is now available, the VRMF of this code level is 1.1.2.2| N/A| No work arounds or mitigations, other than applying this code fix, are known for this Struts vulnerability
None known
CPE | Name | Operator | Version |
---|---|---|---|
ibm flashsystem software | eq | any |