Bugzilla – Bug 983728
VUL-0: CVE-2016-1181: struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
Last modified: 2016-07-01 14:28:03 UTC
https://jvn.jp/en/jp/JVN03188560/ JVN#03188560 Apache Struts 1 vulnerability that allows unintended remote operations against components on memory Overview The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader. Products Affected Apache Struts versions 1.0 through 1.3.10 Description The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met: Condition 1: When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses) ValidatingActionForm ValidatorForm ValidatorActionForm Condition 2: Can process multi-part requests (This condition applies whether or not the web application uses multi-part forms) Impact Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur. Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running. Solution References: https://bugzilla.redhat.com/show_bug.cgi?id=1343538 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181
bugbot adjusting priority
struts is only supported as part of the SUSE Manager product. The only package using struts it there is spacewalk-java. The shipped versions of spacewalk-java do not use the problematic code. Package itself is affected, but not our usage of it. Not requesting an update.