Published:2020/08/25  Last Updated:2022/09/08

JVN#50890770
Apache Struts 2 vulnerable to denial-of-service (DoS)

Overview

Apache Struts 2 contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Struts 2.0.0 to 2.5.20

Description

Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service (DoS) vulnerability (CWE-400).

Impact

An attacker may be able to cause a denial-of-service (DoS).

Solution

Update the Software
Update to the latest version according to the information provided by the developer

Apply a Workaround
Apply the following workaround to mitigate the impact of this vulnerability:

Add java.io. and java.nio. to the value attribute of the struts.excludedPackageNames constant in struts-default.xml

However, it is recommended by the developer to update the software.

Vendor Status

Vendor Status Last Update Vendor Notes
Azbil Corporation Vulnerability Information Provided 2020/08/25
BizMobile Inc. Not Vulnerable 2020/08/25
FUJITSU LIMITED Not Vulnerable 2020/08/25
JT Engineering inc. Not Vulnerable 2020/08/25
JustSystems Corporation Vulnerability Information Provided 2020/08/25
JVCKENWOOD Corporation Vulnerability Information Provided 2020/08/25
NEC Corporation Vulnerable 2022/09/08
NTT DATA Corporation Not Vulnerable 2020/08/25
Sony Corporation Vulnerability Information Provided 2020/08/25
Sumitomo Electric Industries, LTD. Not Vulnerable 2020/08/25
Toshiba Corporation Vulnerable, investigating 2020/08/25
TOSHIBA TEC CORPORATION Not Vulnerable 2020/08/25
Vendor Link
The Apache Software Foundation S2-060 - Apache Struts 2 Wiki - Apache Software Foundation

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score: 5.9
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-0233
JVN iPedia JVNDB-2020-000055

Update History

2020/12/22
NEC Corporation update status
2022/09/08
NEC Corporation update status