JVN#03188560: Apache Struts 1 vulnerability that allows unintended remote operations against components on memory

2016-06-0700:00:00

Japan Vulnerability Notes

jvn.jp

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.027 Low

EPSS

Percentile

90.4%

JSON

The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met:

Condition 1:

When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance

ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses) ValidatingActionForm ValidatorForm ValidatorActionForm Condition 2:

Can process multi-part requests
(This condition applies whether or not the web application uses multi-part forms)

Impact

Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur.
Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.

Solution

As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.