JVN#50890770: Apache Struts 2 vulnerable to denial-of-service (DoS)

Overview

Apache Struts 2 contains a denial-of-service (DoS) vulnerability.

Products Affected

Struts 2.0.0 to 2.5.20

Description

Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service (DoS) vulnerability (CWE-400).

Impact

An attacker may be able to cause a denial-of-service (DoS).

Solution

Update the Software
Update to the latest version according to the information provided by the developer

Apply a Workaround
Apply the following workaround to mitigate the impact of this vulnerability:

Add java.io. and java.nio. to the value attribute of the struts.excludedPackageNames constant in struts-default.xml

However, it is recommended by the developer to update the software.

Vendor Status

Vendor	Status	Last Update
Azbil Corporation	Vulnerability Information Provided	2020/08/25
BizMobile Inc.	Not Vulnerable	2020/08/25
FUJITSU LIMITED	Not Vulnerable	2020/08/25
JT Engineering inc.	Not Vulnerable	2020/08/25
JustSystems Corporation	Vulnerability Information Provided	2020/08/25
JVCKENWOOD Corporation	Vulnerability Information Provided	2020/08/25
NEC Corporation	Vulnerable	2022/09/08
NTT DATA Corporation	Not Vulnerable	2020/08/25
Sony Corporation	Vulnerability Information Provided	2020/08/25
Sumitomo Electric Industries, LTD.	Not Vulnerable	2020/08/25
Toshiba Corporation	Vulnerable, investigating	2020/08/25
TOSHIBA TEC CORPORATION	Not Vulnerable	2020/08/25

Vendor	Link
The Apache Software Foundation	S2-060 - Apache Struts 2 Wiki - Apache Software Foundation

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score: 5.9

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P

Base Score: 4.3

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2019-0233
JVN iPedia	JVNDB-2020-000055

Update History

2020/12/22: NEC Corporation update status
2022/09/08: NEC Corporation update status

JVN#50890770 Apache Struts 2 vulnerable to denial-of-service (DoS)