Security Bulletin: Remediation of Multiple Apache Struts Vulnerabilities in IBM Library Support for Struts

Vulnerability Details

CVEID:   CVE-2008-2025
DESCRIPTION:   Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM X-Force
CVSS Base score:   4.3
CVSS Vector:   (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2014-0114
DESCRIPTION:   Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   6.8
CVSS Vector:   (CVSS:2.0/AV:N/AC:L/Au:N/C:L/I:L/A:L/E:F/RL:OF/RC:C)

CVEID:   CVE-2015-0899
DESCRIPTION:   The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2016-1181
DESCRIPTION:   ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
CVSS Source:   IBM X-Force
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2016-1182
DESCRIPTION:   ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   4.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:   CVE-2023-34396
DESCRIPTION:   Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-49735
DESCRIPTION:   ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CWE:   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2025-54656
DESCRIPTION:   ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).  As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CWE:   CWE-117: Improper Output Neutralization for Logs
CVSS Source:   CISA ADP
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2019-10086
DESCRIPTION:   In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2015-7501
DESCRIPTION:   Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   NVD
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2015-6420
DESCRIPTION:   Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   NVD
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2013-0248
DESCRIPTION:   The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
CWE:   CWE-264: Permissions, Privileges, and Access Controls
CVSS Source:   IBM X-Force
CVSS Base score:   3.3
CVSS Vector:   (AV:L/AC:M/Au:N/C:N/I:P/A:P)

CVEID:   CVE-2013-2186
DESCRIPTION:   The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   6.4
CVSS Vector:   (AV:N/AC:L/Au:N/C:N/I:P/A:P)

CVEID:   CVE-2014-0050
DESCRIPTION:   MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
CWE:   CWE-264: Permissions, Privileges, and Access Controls
CVSS Source:   IBM X-Force
CVSS Base score:   5
CVSS Vector:   (CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)

CVEID:   CVE-2016-1000031
DESCRIPTION:   Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CWE:   CWE-284: Improper Access Control
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2016-3092
DESCRIPTION:   The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-24998
DESCRIPTION:   Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-17571
DESCRIPTION:   Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-4104
DESCRIPTION:   JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-23302
DESCRIPTION:   JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-23305
DESCRIPTION:   By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CWE:   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2022-23307
DESCRIPTION:   CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2015-0254
DESCRIPTION:   Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) x:parse or (2) x:transform JSTL XML tag.
CVSS Source:   IBM X-Force
CVSS Base score:   7.5
CVSS Vector:   (CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)