Published:2016/06/07  Last Updated:2016/07/12

Apache Struts 1 vulnerability that allows unintended remote operations against components on memory


The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader.

Products Affected

  • Apache Struts versions 1.0 through 1.3.10


The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met:

Condition 1:

When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance
  • ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses)
  • ValidatingActionForm
  • ValidatorForm
  • ValidatorActionForm
Condition 2:
Can process multi-part requests
(This condition applies whether or not the web application uses multi-part forms)


Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur.
Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.


As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.

Vendor Status

Vendor Status Last Update Vendor Notes
Allied Telesis K.K. Not Vulnerable 2016/06/07
Cybozu, Inc. Vulnerable, investigating 2016/06/10
FUJITSU LIMITED Vulnerable 2016/06/07
Hitachi Not Vulnerable, investigating 2016/06/07
JT Engineering inc. Not Vulnerable 2016/06/07
NEC Corporation Vulnerable 2016/07/11
NTT DATA Corporation Vulnerable 2016/06/07 NTT DATA Corporation website
RICOH COMPANY, LTD. Vulnerable 2016/06/07
Seasar Foundation Vulnerability Information Provided 2016/06/07
Vendor Link
The Apache Software Foundation Apache Struts 1 End-Of-Life (EOL) Announcement


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 8.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


This analysis assumes that a logged in attacker is attempting denial-of-service (DoS) attacks or to obtain server modules.


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2016-1181
JVN iPedia JVNDB-2016-000096

Update History

NEC Corporation update status
Cybozu, Inc. update status
NEC Corporation update status
NEC Corporation update status