SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Struts Vendors:   Apache Software Foundation
Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
SecurityTracker Alert ID:  1036056
SecurityTracker URL:  http://securitytracker.com/id/1036056
CVE Reference:   CVE-2016-1181, CVE-2016-1182   (Links to External Site)
Date:  Jun 8 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 1.0 - 1.3.10
Description:   Several vulnerabilities were reported in Apache Struts. A remote user can cause denial of service conditions on the target system. A remote user can execute arbitrary code on the target system. A remote user can obtain potentially sensitive information on the target system.

A remote user can send specially crafted data to cause denial of service conditions, obtain potentially sensitive information, or execute arbitrary code on the target system. The impact depends on the application using Apache Struts.

The ActionForm components are affected [CVE-2016-1181].

The Validator components are affected [CVE-2016-1182].

The original advisories are available at:

https://jvn.jp/en/jp/JVN03188560/
https://jvn.jp/en/jp/JVN65044642/

JPCERT/CC reported these vulnerabilities.

Impact:   A remote user can cause denial of service conditions.

A remote user can execute arbitrary code on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   No solution was available at the time of this entry.

The product has reached End of Life status.

Vendor URL:  struts.apache.org/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 19 2016 (Oracle Issues Fix for Oracle Portal) Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Oracle Portal.
Jul 20 2016 (Oracle Issues Fix for Oracle Financial Services Applications) Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Oracle Financial Services Applications.
Oct 26 2016 (IBM Issues Fix for IBM WebSphere Portal) Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
IBM has issued a fix for IBM WebSphere Portal.
Apr 19 2017 (Oracle Issues Fix for Oracle WebLogic) Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Oracle has issued a fix for Oracle WebLogic.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC