Published:2020/12/11  Last Updated:2020/12/11

JVN#43969166
Apache Struts 2 vulnerable to remote code execution (S2-061)

Overview

Apache Struts 2 contains a remote code execution vulnerability.

Products Affected

  • Apache Struts 2.0.0 to 2.5.25

Description

Apache Struts 2 provided by The Apache Software Foundation contains a remote code execution vulnerability due to improper input validation (CWE-20).

Impact

A remote attacker may execute arbitrary code.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Apply the workaround
Do not use forced OGNL evaluation in the tag's attributes based on untrusted/unvalidated user input.
The developer reccomends the users to follow the recommendations from the Security Guide.

Vendor Status

Vendor Status Last Update Vendor Notes
DENSO Corporation Vulnerability Information Provided 2020/12/11
FANUC CORPORATION Vulnerability Information Provided 2020/12/11
FUJITSU CONNECTED TECHNOLOGIES LIMITED Vulnerability Information Provided 2020/12/11
FUJITSU LIMITED Not Vulnerable 2020/12/11
Hitachi Vulnerability Information Provided 2020/12/11
INTEC Inc. Vulnerability Information Provided 2020/12/11
JVCKENWOOD Corporation Vulnerability Information Provided 2020/12/11
NEC Corporation Vulnerability Information Provided 2020/12/11
NTT DATA Corporation Not Vulnerable, investigating 2020/12/11
Phone Appli Inc. Vulnerability Information Provided 2020/12/11
Rakuten, Inc Vulnerability Information Provided 2020/12/11
RICOH COMPANY, LTD. Vulnerability Information Provided 2020/12/11
Smart Solution Technology, Inc. Not Vulnerable, investigating 2020/12/11
Sony Corporation Vulnerability Information Provided 2020/12/11
Symantec Japan, Inc. Vulnerability Information Provided 2020/12/11
TDK Corporation Not Vulnerable 2020/12/11
Toshiba Corporation Vulnerability Information Provided 2020/12/11
WAM!NET Japan K.K. Not Vulnerable 2020/12/11

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Masato Anzai of Aeye Security Lab, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-17530
JVN iPedia JVNDB-2020-000084