Published:2016/06/20  Last Updated:2016/08/25

JVN#45093481
Multiple vulnerabilities in Apache Struts 2

Overview

Apache Struts 2 contains multiple vulnerabilities.

Products Affected

  • Apache Struts 2.3.20 to 2.3.28.1
Affects of this vulnearbility to Apache Struts 1 is unknown.
As of  April 5, 2013, Apache Software Foundation has announced that Apache Strtus 1 is no longer developed or supported.

Description

Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain multiple vulnerabilities listed below.

  • Cross-site request forgery (S2-038) - CVE-2016-4430
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 3.1
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
  • Validation bypass in Getter method (S2-039) - CVE-2016-4433
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 5.6
    CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8
  • Input validation bypass (S2-040) - CVE-2016-4431
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 5.6
    CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8

Impact

An unauthenticated remote attacker may redirect a user to unvalidated locations, store a crafted date, or lead a user to perform unintended operations.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Not Vulnerable 2016/06/20
NTT-CERT Not Vulnerable 2016/06/23
Vendor Link
Apache Software Foundation S2-038 - It is possible to bypass token validation and perform a CSRF attack
S2-039 - Getter as action method leads to security bypass
S2-040 - Input validation bypass using existing default action method.

References

JPCERT/CC Addendum

[Update: June 30, 2016]
The developer has stated that CVE-2016-4433 (S2-039) has been addressed in Struts 2.3.39. However the reporter and JPCERT/CC have each confirmed that the fix is insufficient and that arbitrary code can be executed in Struts 2.3.29 by exploiting CVE-2016-4433 (S2-039). JPCERT/CC is currently in contact with the vendor.

[Update: August 25, 2016]
CVE-2016-4433 (S2-039) has been addressed in Struts 2.3.29, although the vendor has confirmed that similar issues still exist. According to the developer, these issues will be addressed in a future release.

Vulnerability Analysis by JPCERT/CC

Credit

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-4430
CVE-2016-4433
CVE-2016-4431
JVN iPedia JVNDB-2016-000111 (S2-038)
JVNDB-2016-000112 (S2-039)
JVNDB-2016-000113 (S2-040)

Update History

2016/06/23
NTT-CERT update status
2016/06/30
Information under the section "JPCERT/CC Addendum" was added.
2016/08/25
Information under the section "JPCERT/CC Addendum" was modified.