Published:2016/06/07  Last Updated:2016/06/08

JVN#65044642
Apache Struts 1 vulnerable to input validation bypass

Overview

The Apache Struts 1 Validator contains a vulnerability where input validation is bypassed.

Products Affected

  • Apache Struts 1 versions 1.0 through 1.3.10

Description

The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified.
This occurs when the following ActionForm (including its subclasses) are in the session scope.

  • ValidatorForm
  • ValidatorActionForm

Impact

Effects vary depending on the web application. For example, cross-site scripting attacks or denial-of-service (DoS) attacks may be possible.

Solution

As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.

Vendor Status

Vendor Status Last Update Vendor Notes
Allied Telesis K.K. Not Vulnerable 2016/06/07
Cybozu, Inc. Not Vulnerable 2016/06/07
FUJITSU LIMITED Vulnerable 2016/06/07
Hitachi Not Vulnerable, investigating 2016/06/07
JT Engineering inc. Not Vulnerable 2016/06/07
NEC Corporation Vulnerable, investigating 2016/06/07
NTT DATA Corporation Vulnerable 2016/06/07 NTT DATA Corporation website
RICOH COMPANY, LTD. Vulnerable 2016/06/07
Seasar Foundation Vulnerability Information Provided 2016/06/07
Vendor Link
The Apache Software Foundation Apache Struts 1 End-Of-Life (EOL) Announcement

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:P
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes that a logged in attacker is attempting unintended data inputs or denial-of-service (DoS) attacks.

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-1182
JVN iPedia JVNDB-2016-000097

Update History

2016/06/08
NEC Corporation update status