Security Bulletin: Order Management could be subject to multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x.

Summary

Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2012-0838, CVE-2011-1772, CVE-2008-6504, CVE-2010-1870, CVE-2012-0394, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2012-0838
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/73690 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2011-1772
**DESCRIPTION:**Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/67354 for the current score.
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID:CVE-2008-6504
**DESCRIPTION:**XWork could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to bypass the # references to context objects and modify server-side objects.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/46328 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2010-1870
**DESCRIPTION:**XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/60371 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-0394
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error in the DebuggingInterceptor component. An attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary commands on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/91029 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Remediation/Fixes

Please find release notes and fixes - <https://www.ibm.com/docs/en/order-management?topic=updating-resolved-issues&gt;

Container download- <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=operator-obtaining-container-images-from-entitled-registry&gt;
On-Prem: <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=installing-applying-fix-packs&gt;

Workarounds and Mitigations

None