SkipToMainContent

Vulnerabilities

A Vulnerability is a state in a computing system (or set of systems) which either (a) allows an attacker to execute commands as another user, (b) allows an attacker to access data that is contrary to the specified access restrictions for that data, (c) allows an attacker to pose as another entity, or (d) allows an attacker to conduct a denial of service.Advisories relating to Symantec products may be viewed here.

Apache Struts CVE-2016-1181 Remote Code Execution Vulnerability

Risk:
High
Date Discovered:
June 07, 2016
Description:
Apache Struts is prone to a remote code-execution vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may cause a denial-of-service condition. Apache Struts 1.0 through 1.3.10 are vulnerable.
Technologies Affected
  • Apache Struts 1.0
  • Apache Struts 1.0.2
  • Apache Struts 1.1
  • Apache Struts 1.1 B1
  • Apache Struts 1.1 B2
  • Apache Struts 1.1 B3
  • Apache Struts 1.1 RC1
  • Apache Struts 1.1 RC2
  • Apache Struts 1.2.2
  • Apache Struts 1.2.4
  • Apache Struts 1.2.6
  • Apache Struts 1.2.7
  • Apache Struts 1.2.8
  • Apache Struts 1.2.9
  • Apache Struts 1.2.9 SP2
  • Apache Struts 1.2.9 sp1
  • Apache Struts 1.3.10
  • Apache Struts 1.3.5
  • Apache Struts 1.3.8
  • IBM BigFix Remote Control 9.1.2
  • IBM Business Process Manager Advanced 7.5.0.0
  • IBM Business Process Manager Advanced 7.5.0.1
  • IBM Business Process Manager Advanced 7.5.1.0
  • IBM Business Process Manager Advanced 7.5.1.1
  • IBM Business Process Manager Advanced 7.5.1.2
  • IBM Business Process Manager Advanced 8.0.0.0
  • IBM Business Process Manager Advanced 8.0.1
  • IBM Business Process Manager Advanced 8.0.1.1
  • IBM Business Process Manager Advanced 8.0.1.2
  • IBM Business Process Manager Advanced 8.0.1.3
  • IBM Business Process Manager Advanced 8.5.0
  • IBM Business Process Manager Advanced 8.5.0.1
  • IBM Business Process Manager Advanced 8.5.0.2
  • IBM Business Process Manager Advanced 8.5.5.0
  • IBM Business Process Manager Advanced 8.5.6.0
  • IBM Business Process Manager Advanced 8.5.7.0
  • IBM Content Foundation 5.2.0
  • IBM FTM for ACH 3.0.0.0
  • IBM FTM for ACH 3.0.0.1
  • IBM FTM for ACH 3.0.0.10
  • IBM FTM for ACH 3.0.0.11
  • IBM FTM for ACH 3.0.0.12
  • IBM FTM for ACH 3.0.0.13
  • IBM FTM for ACH 3.0.0.14
  • IBM FTM for ACH 3.0.0.2
  • IBM FTM for ACH 3.0.0.3
  • IBM FTM for ACH 3.0.0.4
  • IBM FTM for ACH 3.0.0.5
  • IBM FTM for ACH 3.0.0.6
  • IBM FTM for ACH 3.0.0.7
  • IBM FTM for ACH 3.0.0.8
  • IBM FTM for ACH 3.0.0.9
  • IBM FTM for CPS 2.1.1.0
  • IBM FTM for CPS 2.1.1.1
  • IBM FTM for CPS 2.1.1.2
  • IBM FTM for CPS 2.1.1.3
  • IBM FTM for CPS 3.0.0.0
  • IBM FTM for CPS 3.0.0.1
  • IBM FTM for CPS 3.0.0.10
  • IBM FTM for CPS 3.0.0.11
  • IBM FTM for CPS 3.0.0.12
  • IBM FTM for CPS 3.0.0.13
  • IBM FTM for CPS 3.0.0.14
  • IBM FTM for CPS 3.0.0.2
  • IBM FTM for CPS 3.0.0.3
  • IBM FTM for CPS 3.0.0.4
  • IBM FTM for CPS 3.0.0.5
  • IBM FTM for CPS 3.0.0.6
  • IBM FTM for CPS 3.0.0.7
  • IBM FTM for CPS 3.0.0.8
  • IBM FTM for CPS 3.0.0.9
  • IBM FTM for Check 3.0.0.0
  • IBM FTM for Check 3.0.0.1
  • IBM FTM for Check 3.0.0.10
  • IBM FTM for Check 3.0.0.11
  • IBM FTM for Check 3.0.0.12
  • IBM FTM for Check 3.0.0.13
  • IBM FTM for Check 3.0.0.14
  • IBM FTM for Check 3.0.0.2
  • IBM FTM for Check 3.0.0.3
  • IBM FTM for Check 3.0.0.4
  • IBM FTM for Check 3.0.0.5
  • IBM FTM for Check 3.0.0.6
  • IBM FTM for Check 3.0.0.7
  • IBM FTM for Check 3.0.0.8
  • IBM FTM for Check 3.0.0.9
  • IBM FileNet Content Manager 5.2.0
  • IBM InfoSphere Information Governance Catalog 11.3
  • IBM InfoSphere Information Governance Catalog 11.5
  • IBM InfoSphere Information Server 11.3
  • IBM InfoSphere Information Server 11.5
  • IBM InfoSphere Information Server 8.5
  • IBM InfoSphere Information Server 8.7
  • IBM InfoSphere Information Server 9.1
  • IBM Infosphere Metadata Workbench 8.5
  • IBM Infosphere Metadata Workbench 8.7
  • IBM Infosphere Metadata Workbench 9.1
  • IBM Security Identity Manager 6.0
  • IBM Security Privileged Identity Manager 2.0
  • IBM Spectrum Control 5.2.10
  • IBM Spectrum Control 5.2.10.1
  • IBM Spectrum Control 5.2.8
  • IBM Spectrum Control 5.2.9
  • IBM Tivoli Monitoring 6.2.2
  • IBM Tivoli Monitoring 6.2.2 FP6
  • IBM Tivoli Monitoring 6.2.2 FP9
  • IBM Tivoli Monitoring 6.2.2 Fix Pack 05
  • IBM Tivoli Monitoring 6.2.2 Fix Pack 09
  • IBM Tivoli Monitoring 6.2.2 Fix Pack 9
  • IBM Tivoli Monitoring 6.2.2 FixPack 4
  • IBM Tivoli Monitoring 6.2.3
  • IBM Tivoli Monitoring 6.2.3 FP5
  • IBM Tivoli Monitoring 6.2.3 Fix Pack 03
  • IBM Tivoli Monitoring 6.2.3 Fix Pack 05
  • IBM Tivoli Monitoring 6.2.3 Fix Pack 3
  • IBM Tivoli Monitoring 6.3.0
  • IBM Tivoli Monitoring 6.3.0 FP4
  • IBM Tivoli Monitoring 6.3.0 FP6
  • IBM Tivoli Monitoring 6.3.0 FP7
  • IBM Tivoli Monitoring 6.3.0 Fix Pack 02
  • IBM Tivoli Monitoring 6.3.0 Fix Pack 03
  • IBM Tivoli Monitoring 6.3.0 Fix Pack 1
  • IBM Tivoli Storage Productivity Center 5.2.0
  • IBM Tivoli Storage Productivity Center 5.2.1.0
  • IBM Tivoli Storage Productivity Center 5.2.1.1
  • IBM Tivoli Storage Productivity Center 5.2.10
  • IBM Tivoli Storage Productivity Center 5.2.2
  • IBM Tivoli Storage Productivity Center 5.2.3
  • IBM Tivoli Storage Productivity Center 5.2.4
  • IBM Tivoli Storage Productivity Center 5.2.4.1
  • IBM Tivoli Storage Productivity Center 5.2.5
  • IBM Tivoli Storage Productivity Center 5.2.5.1
  • IBM Tivoli Storage Productivity Center 5.2.6
  • IBM Tivoli Storage Productivity Center 5.2.7
  • IBM Tivoli Storage Productivity Center 5.2.7.1
  • IBM WebSphere Application Server Hypervisor Edition
  • IBM WebSphere Service Registry and Repository 8.0
  • IBM WebSphere Service Registry and Repository 8.0.0.1
  • IBM WebSphere Service Registry and Repository 8.0.0.2
  • IBM WebSphere Service Registry and Repository 8.0.0.3
  • IBM WebSphere Service Registry and Repository 8.5
  • IBM WebSphere Service Registry and Repository 8.5.0.1
  • IBM WebSphere Service Registry and Repository 8.5.5.0
  • IBM WebSphere Service Registry and Repository 8.5.6.0
  • IBM Websphere Application Server 8.0
  • IBM Websphere Application Server 8.5 Full Profile
  • IBM Websphere Application Server 8.5 Liberty Profile
  • IBM Websphere Application Server 8.5.5 Full Profile
  • IBM Websphere Application Server 8.5.5.0 - Liberty Profile
  • IBM Websphere Application Server 9.0
  • IBM Websphere Portal 6.1
  • IBM Websphere Portal 7.0
  • IBM Websphere Portal 8.0
  • IBM Websphere Portal 8.5
  • Oracle Banking Platform 2.3.0
  • Oracle Banking Platform 2.4.0
  • Oracle Banking Platform 2.4.1
  • Oracle Banking Platform 2.5.0
  • Oracle Communications Converged Application Server 7.0
  • Oracle Communications Policy Management 12.1
  • Oracle Communications Policy Management 12.2
  • Oracle Communications Policy Management 12.3
  • Oracle Communications Policy Management 12.4
  • Oracle JD Edwards EnterpriseOne Tools 9.1
  • Oracle Portal 11.1.1.6.0
  • Oracle Retail Clearance Optimization Engine 14.0.5
  • Oracle Retail Markdown Optimization 13.4.4
  • Oracle Retail Order Management System 5.0
  • Oracle WebCenter Sites 11.1.1.8.0
  • WAMNET JAPAN K.K. GigaCC OFFICE 2.3
Recommendations
  • Run all software as a nonprivileged user with minimal access rights.
    To reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
    Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
  • Do not follow links provided by unknown or untrusted sources.
    To reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.
  • Implement multiple redundant layers of security.
    Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
References
Credits
The vendor reported this issue.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.