Apache Struts CVE-2016-1181 Remote Code Execution Vulnerability

Description

Apache Struts is prone to a remote code-execution vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may cause a denial-of-service condition. Apache Struts 1.0 through 1.3.10 are vulnerable.

Technologies Affected

• Apache Struts 1.0
• Apache Struts 1.0.2
• Apache Struts 1.1
• Apache Struts 1.1 B1
• Apache Struts 1.1 B2
• Apache Struts 1.1 B3
• Apache Struts 1.1 RC1
• Apache Struts 1.1 RC2
• Apache Struts 1.2.2
• Apache Struts 1.2.4
• Apache Struts 1.2.6
• Apache Struts 1.2.7
• Apache Struts 1.2.8
• Apache Struts 1.2.9
• Apache Struts 1.2.9 SP2
• Apache Struts 1.2.9 sp1
• Apache Struts 1.3.10
• Apache Struts 1.3.5
• Apache Struts 1.3.8
• IBM BigFix Remote Control 9.1.2
• IBM Business Process Manager Advanced 7.5.0.0
• IBM Business Process Manager Advanced 7.5.0.1
• IBM Business Process Manager Advanced 7.5.1.0
• IBM Business Process Manager Advanced 7.5.1.1
• IBM Business Process Manager Advanced 7.5.1.2
• IBM Business Process Manager Advanced 8.0.0.0
• IBM Business Process Manager Advanced 8.0.1
• IBM Business Process Manager Advanced 8.0.1.1
• IBM Business Process Manager Advanced 8.0.1.2
• IBM Business Process Manager Advanced 8.0.1.3
• IBM Business Process Manager Advanced 8.5.0
• IBM Business Process Manager Advanced 8.5.0.1
• IBM Business Process Manager Advanced 8.5.0.2
• IBM Business Process Manager Advanced 8.5.5.0
• IBM Business Process Manager Advanced 8.5.6.0
• IBM Business Process Manager Advanced 8.5.7.0
• IBM Content Foundation 5.2.0
• IBM FTM for ACH 3.0.0.0
• IBM FTM for ACH 3.0.0.1
• IBM FTM for ACH 3.0.0.10
• IBM FTM for ACH 3.0.0.11
• IBM FTM for ACH 3.0.0.12
• IBM FTM for ACH 3.0.0.13
• IBM FTM for ACH 3.0.0.14
• IBM FTM for ACH 3.0.0.2
• IBM FTM for ACH 3.0.0.3
• IBM FTM for ACH 3.0.0.4
• IBM FTM for ACH 3.0.0.5
• IBM FTM for ACH 3.0.0.6
• IBM FTM for ACH 3.0.0.7
• IBM FTM for ACH 3.0.0.8
• IBM FTM for ACH 3.0.0.9
• IBM FTM for CPS 2.1.1.0
• IBM FTM for CPS 2.1.1.1
• IBM FTM for CPS 2.1.1.2
• IBM FTM for CPS 2.1.1.3
• IBM FTM for CPS 3.0.0.0
• IBM FTM for CPS 3.0.0.1
• IBM FTM for CPS 3.0.0.10
• IBM FTM for CPS 3.0.0.11
• IBM FTM for CPS 3.0.0.12
• IBM FTM for CPS 3.0.0.13
• IBM FTM for CPS 3.0.0.14
• IBM FTM for CPS 3.0.0.2
• IBM FTM for CPS 3.0.0.3
• IBM FTM for CPS 3.0.0.4
• IBM FTM for CPS 3.0.0.5
• IBM FTM for CPS 3.0.0.6
• IBM FTM for CPS 3.0.0.7
• IBM FTM for CPS 3.0.0.8
• IBM FTM for CPS 3.0.0.9
• IBM FTM for Check 3.0.0.0
• IBM FTM for Check 3.0.0.1
• IBM FTM for Check 3.0.0.10
• IBM FTM for Check 3.0.0.11
• IBM FTM for Check 3.0.0.12
• IBM FTM for Check 3.0.0.13
• IBM FTM for Check 3.0.0.14
• IBM FTM for Check 3.0.0.2
• IBM FTM for Check 3.0.0.3
• IBM FTM for Check 3.0.0.4
• IBM FTM for Check 3.0.0.5
• IBM FTM for Check 3.0.0.6
• IBM FTM for Check 3.0.0.7
• IBM FTM for Check 3.0.0.8
• IBM FTM for Check 3.0.0.9
• IBM FileNet Content Manager 5.2.0
• IBM InfoSphere Information Governance Catalog 11.3
• IBM InfoSphere Information Governance Catalog 11.5
• IBM InfoSphere Information Server 11.3
• IBM InfoSphere Information Server 11.5
• IBM InfoSphere Information Server 8.5
• IBM InfoSphere Information Server 8.7
• IBM InfoSphere Information Server 9.1
• IBM Infosphere Metadata Workbench 8.5
• IBM Infosphere Metadata Workbench 8.7
• IBM Infosphere Metadata Workbench 9.1
• IBM Security Identity Manager 6.0
• IBM Security Privileged Identity Manager 2.0
• IBM Spectrum Control 5.2.10
• IBM Spectrum Control 5.2.10.1
• IBM Spectrum Control 5.2.8
• IBM Spectrum Control 5.2.9
• IBM Tivoli Monitoring 6.2.2
• IBM Tivoli Monitoring 6.2.2 FP6
• IBM Tivoli Monitoring 6.2.2 FP9
• IBM Tivoli Monitoring 6.2.2 Fix Pack 05
• IBM Tivoli Monitoring 6.2.2 Fix Pack 09
• IBM Tivoli Monitoring 6.2.2 Fix Pack 9
• IBM Tivoli Monitoring 6.2.2 FixPack 4
• IBM Tivoli Monitoring 6.2.3
• IBM Tivoli Monitoring 6.2.3 FP5
• IBM Tivoli Monitoring 6.2.3 Fix Pack 03
• IBM Tivoli Monitoring 6.2.3 Fix Pack 05
• IBM Tivoli Monitoring 6.2.3 Fix Pack 3
• IBM Tivoli Monitoring 6.3.0
• IBM Tivoli Monitoring 6.3.0 FP4
• IBM Tivoli Monitoring 6.3.0 FP6
• IBM Tivoli Monitoring 6.3.0 FP7
• IBM Tivoli Monitoring 6.3.0 Fix Pack 02
• IBM Tivoli Monitoring 6.3.0 Fix Pack 03
• IBM Tivoli Monitoring 6.3.0 Fix Pack 1
• IBM Tivoli Storage Productivity Center 5.2.0
• IBM Tivoli Storage Productivity Center 5.2.1.0
• IBM Tivoli Storage Productivity Center 5.2.1.1
• IBM Tivoli Storage Productivity Center 5.2.10
• IBM Tivoli Storage Productivity Center 5.2.2
• IBM Tivoli Storage Productivity Center 5.2.3
• IBM Tivoli Storage Productivity Center 5.2.4
• IBM Tivoli Storage Productivity Center 5.2.4.1
• IBM Tivoli Storage Productivity Center 5.2.5
• IBM Tivoli Storage Productivity Center 5.2.5.1
• IBM Tivoli Storage Productivity Center 5.2.6
• IBM Tivoli Storage Productivity Center 5.2.7
• IBM Tivoli Storage Productivity Center 5.2.7.1
• IBM WebSphere Application Server Hypervisor Edition
• IBM WebSphere Service Registry and Repository 8.0
• IBM WebSphere Service Registry and Repository 8.0.0.1
• IBM WebSphere Service Registry and Repository 8.0.0.2
• IBM WebSphere Service Registry and Repository 8.0.0.3
• IBM WebSphere Service Registry and Repository 8.5
• IBM WebSphere Service Registry and Repository 8.5.0.1
• IBM WebSphere Service Registry and Repository 8.5.5.0
• IBM WebSphere Service Registry and Repository 8.5.6.0
• IBM Websphere Application Server 8.0
• IBM Websphere Application Server 8.5 Full Profile
• IBM Websphere Application Server 8.5 Liberty Profile
• IBM Websphere Application Server 8.5.5 Full Profile
• IBM Websphere Application Server 8.5.5.0 Liberty Profile
• IBM Websphere Application Server 9.0
• IBM Websphere Portal 6.1
• IBM Websphere Portal 7.0
• IBM Websphere Portal 8.0
• IBM Websphere Portal 8.5
• Oracle Banking Platform 2.3.0
• Oracle Banking Platform 2.4.0
• Oracle Banking Platform 2.4.1
• Oracle Banking Platform 2.5.0
• Oracle Communications Converged Application Server 7.0
• Oracle Communications Policy Management 12.1
• Oracle Communications Policy Management 12.2
• Oracle Communications Policy Management 12.3
• Oracle Communications Policy Management 12.4
• Oracle JD Edwards EnterpriseOne Tools 9.1
• Oracle Portal 11.1.1.6.0
• Oracle Retail Clearance Optimization Engine 14.0.5
• Oracle Retail Markdown Optimization 13.4.4
• Oracle Retail Order Management System 5.0
• Oracle WebCenter Sites 11.1.1.8.0
• WAMNET JAPAN K.K. GigaCC OFFICE 2.3

Recommendations

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.

Do not follow links provided by unknown or untrusted sources.
To reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.

Implement multiple redundant layers of security.
Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker’s ability to exploit this vulnerability to execute arbitrary code.

Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].