Published:2016/06/07  Last Updated:2016/07/12

JVN#03188560
Apache Struts 1 vulnerability that allows unintended remote operations against components on memory

Overview

The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader.

Products Affected

  • Apache Struts versions 1.0 through 1.3.10

Description

The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met:

Condition 1:

When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance
  • ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses)
  • ValidatingActionForm
  • ValidatorForm
  • ValidatorActionForm
Condition 2:
Can process multi-part requests
(This condition applies whether or not the web application uses multi-part forms)

Impact

Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur.
Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.

Solution

As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.

Vendor Status

Vendor Status Last Update Vendor Notes
Allied Telesis K.K. Not Vulnerable 2016/06/07
Cybozu, Inc. Vulnerable, investigating 2016/06/10
FUJITSU LIMITED Vulnerable 2016/06/07
Hitachi Not Vulnerable, investigating 2016/06/07
JT Engineering inc. Not Vulnerable 2016/06/07
NEC Corporation Vulnerable 2016/07/11
NTT DATA Corporation Vulnerable 2016/06/07 NTT DATA Corporation website
RICOH COMPANY, LTD. Vulnerable 2016/06/07
Seasar Foundation Vulnerability Information Provided 2016/06/07
Vendor Link
The Apache Software Foundation Apache Struts 1 End-Of-Life (EOL) Announcement

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes that a logged in attacker is attempting denial-of-service (DoS) attacks or to obtain server modules.

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-1181
JVN iPedia JVNDB-2016-000096

Update History

2016/06/08
NEC Corporation update status
2016/06/10
Cybozu, Inc. update status
2016/06/20
NEC Corporation update status
2016/07/12
NEC Corporation update status