JVN#03188560: Apache Struts 1 vulnerability that allows unintended remote operations against components on memory

Overview

The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader.

Products Affected

Apache Struts versions 1.0 through 1.3.10

Description

The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met:

Condition 1:

When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance

ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses)
ValidatingActionForm
ValidatorForm
ValidatorActionForm

Condition 2:

Can process multi-part requests
(This condition applies whether or not the web application uses multi-part forms)

Impact

Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur.
Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.

Solution

As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Allied Telesis K.K.	Not Vulnerable	2016/06/07
Cybozu, Inc.	Vulnerable, investigating	2016/06/10
FUJITSU LIMITED	Vulnerable	2016/06/07
Hitachi	Not Vulnerable, investigating	2016/06/07
JT Engineering inc.	Not Vulnerable	2016/06/07
NEC Corporation	Vulnerable	2016/07/11
NTT DATA Corporation	Vulnerable	2016/06/07	NTT DATA Corporation website
RICOH COMPANY, LTD.	Vulnerable	2016/06/07
Seasar Foundation	Vulnerability Information Provided	2016/06/07

Vendor	Link
The Apache Software Foundation	Apache Struts 1 End-Of-Life (EOL) Announcement

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score: 8.1

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Score: 6.8

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Comment

This analysis assumes that a logged in attacker is attempting denial-of-service (DoS) attacks or to obtain server modules.

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2016-1181
JVN iPedia	JVNDB-2016-000096

Update History

2016/06/08: NEC Corporation update status
2016/06/10: Cybozu, Inc. update status
2016/06/20: NEC Corporation update status
2016/07/12: NEC Corporation update status

JVN#03188560 Apache Struts 1 vulnerability that allows unintended remote operations against components on memory