JVN#03188560: Apache Struts 1 vulnerability that allows unintended remote operations against components on memory


The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met: **Condition 1:** When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses) ValidatingActionForm ValidatorForm ValidatorActionForm **Condition 2:** Can process multi-part requests (This condition applies whether or not the web application uses multi-part forms) ## Impact Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur. Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running. ## Solution As of April 5, 2013, Apache Struts 1 is [End-Of-Life (EOL)](<https://struts.apache.org/struts1eol-announcement.html>). For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1. ## Products Affected * Apache Struts versions 1.0 through 1.3.10