IBM Support

CVE-2010-1870 Struts vulnerability with WebSphere Commerce *|* -53159150E02B0179852578800074715A- *|*

Question & Answer


Question

CVE-2010-1870 Struts vulnerability with WebSphere Commerce *|* -53159150E02B0179852578800074715A- *|*

Answer

Technote (troubleshooting)


Problem(Abstract)

This technote helps verify if you are protected against CVE-2010-1870 Struts vulnerability with IBM WebSphere Commerce Enterprise.

Symptom

The National Vulnerability Database defines the following Struts security vulnerability:

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1 as used in Atlassian Fisheye Crucible and possibly other products uses a permissive allowlist which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors by way of the (1) #context (2) #_memberAccess (3) #root (4) #this (5) #_typeResolver (6) #_classResolver (7) #_traceEvaluations (8) #_lastEvaluation (9) #_keepLastEvaluation and possibly other OGNL context variables a different vulnerability than CVE-2008-6504.



Diagnosing the problem

You are using WebSphere Commerce Version 6.0 or Version 7.0 using the Struts framework.

Resolving the problem

WebSphere Commerce Version 6.0 ships with Struts version 1.1 and WebSphere Commerce Version 7.0 ships with struts 1.3.9. The vulnerability described is only applicable to Struts 2.0.0 through 2.1.8.1 Therefore this specific vulnerability does not affect WebSphere Commerce.

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SS73G6","label":"Sterling Total Payments for Financial Services"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
12 October 2021

UID

ibm10766427

Page Feedback