Published:2013/09/06  Last Updated:2013/09/06

JVN#33504150
Apache Struts vulnerable to remote command execution

Overview

Apache Struts contains a remote command execution vulnerability.

Products Affected

  • Apache Struts 2.0.0 through 2.3.15

Description

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability.

This issue is the same issue that the developer published as S2-016 on July 16, 2013

Note that attacks leveraging this vulnerability have been confirmed.

Impact

An arbitrary command may be executed on the server where Apache Struts resides.

Solution

Apply an Update
Update to the latest version according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2013-0033
Vulnerability in Apache Struts (S2-016)
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2013-2251
JVN iPedia JVNDB-2013-003469