Published:2016/06/20  Last Updated:2016/07/05

JVN#07710476
Apache Struts 2 vulnerable to remote code execution

Overview

Apache Struts 2 contains a remote code execution vulnerability.

Products Affected

  • Apache Struts 2.3.20 to 2.3.28.1
Affects of this vulnearbility to Apache Struts 1 is unknown.
As of  April 5, 2013, Apache Software Foundation has announced that Apache Strtus 1 is no longer developed or supported.

Description

Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. Web applications that are developed using Apache Struts 2 REST Plugin contain a remote code execution vulnerability.

Note that the exploit code for this vulnerability is publicly available.

Impact

An arbitrary code may be executed by an unauthenticated remote attacker.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Not Vulnerable 2016/07/05
NTT-CERT Not Vulnerable 2016/06/23

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score: 5.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Shinsaku Nomura of Bitforest Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-4438
JVN iPedia JVNDB-2016-000110

Update History

2016/06/23
NTT-CERT update status
2016/07/05
FUJITSU LIMITED update status