ID CVE-2016-1181
Summary ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:banking_platform:2.3.0
    cpe:2.3:a:oracle:banking_platform:2.3.0
  • cpe:2.3:a:oracle:banking_platform:2.4.0
    cpe:2.3:a:oracle:banking_platform:2.4.0
  • cpe:2.3:a:oracle:banking_platform:2.4.1
    cpe:2.3:a:oracle:banking_platform:2.4.1
  • cpe:2.3:a:oracle:banking_platform:2.5.0
    cpe:2.3:a:oracle:banking_platform:2.5.0
  • cpe:2.3:a:oracle:portal:11.1.1.6
    cpe:2.3:a:oracle:portal:11.1.1.6
  • Apache Software Foundation Struts 1.0
    cpe:2.3:a:apache:struts:1.0
  • Apache Software Foundation Struts 1.0 Beta 1
    cpe:2.3:a:apache:struts:1.0:beta1
  • Apache Software Foundation Struts 1.0 Beta 2
    cpe:2.3:a:apache:struts:1.0:beta2
  • Apache Software Foundation Struts 1.0 Beta 3
    cpe:2.3:a:apache:struts:1.0:beta3
  • Apache Software Foundation Struts 1.0.1
    cpe:2.3:a:apache:struts:1.0.1
  • Apache Software Foundation Struts 1.0.2
    cpe:2.3:a:apache:struts:1.0.2
  • Apache Software Foundation Struts 1.1
    cpe:2.3:a:apache:struts:1.1
  • Apache Software Foundation Struts 1.1-b1
    cpe:2.3:a:apache:struts:1.1:b1
  • Apache Software Foundation Struts 1.1-b2
    cpe:2.3:a:apache:struts:1.1:b2
  • Apache Software Foundation Struts 1.1-b3
    cpe:2.3:a:apache:struts:1.1:b3
  • Apache Software Foundation Struts 1.1 release candidate 1
    cpe:2.3:a:apache:struts:1.1:rc1
  • Apache Software Foundation Struts 1.1 release candidate 2
    cpe:2.3:a:apache:struts:1.1:rc2
  • Apache Software Foundation Struts 1.2.0
    cpe:2.3:a:apache:struts:1.2.0
  • Apache Software Foundation Struts 1.2.1
    cpe:2.3:a:apache:struts:1.2.1
  • Apache Software Foundation Struts 1.2.2
    cpe:2.3:a:apache:struts:1.2.2
  • Apache Software Foundation Struts 1.2.3
    cpe:2.3:a:apache:struts:1.2.3
  • Apache Software Foundation Struts 1.2.4
    cpe:2.3:a:apache:struts:1.2.4
  • Apache Software Foundation Struts 1.2.5
    cpe:2.3:a:apache:struts:1.2.5
  • Apache Software Foundation Struts 1.2.6
    cpe:2.3:a:apache:struts:1.2.6
  • Apache Software Foundation Struts 1.2.7
    cpe:2.3:a:apache:struts:1.2.7
  • Apache Software Foundation Struts 1.2.8
    cpe:2.3:a:apache:struts:1.2.8
  • Apache Software Foundation Struts 1.2.9
    cpe:2.3:a:apache:struts:1.2.9
  • Apache Software Foundation Struts 1.3.5
    cpe:2.3:a:apache:struts:1.3.5
  • Apache Software Foundation Struts 1.3.6
    cpe:2.3:a:apache:struts:1.3.6
  • Apache Software Foundation Struts 1.3.7
    cpe:2.3:a:apache:struts:1.3.7
  • Apache Software Foundation Struts 1.3.8
    cpe:2.3:a:apache:struts:1.3.8
  • Apache Software Foundation Struts 1.3.9
    cpe:2.3:a:apache:struts:1.3.9
  • Apache Software Foundation Struts 1.3.10
    cpe:2.3:a:apache:struts:1.3.10
CVSS
Base: 6.8 (as of 15-11-2016 - 14:05)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-21BD6A33AF.NASL
    description Security fix for CVE-2016-1181, CVE-2016-1182 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92234
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92234
    title Fedora 23 : struts (2016-21bd6a33af)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-D717FDCF74.NASL
    description Security fix for CVE-2016-1181, CVE-2016-1182 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92292
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92292
    title Fedora 24 : struts (2016-d717fdcf74)
  • NASL family Misc.
    NASL id ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL
    description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506) - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-3531) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 99528
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99528
    title Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)
  • NASL family Misc.
    NASL id ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL
    description The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an 'invalid curve attack.' (CVE-2015-7940) - A flaw exists in the PathTools module for Perl in the File::Spec::canonpath() function that is triggered as strings are returned as untainted even when passing tainted input. An unauthenticated, remote attacker can exploit this to pass unvalidated user input to sensitive or insecure areas. (CVE-2015-8607) - An overflow condition exists in Perl in the MapPathA() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-8608) - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - A flaw exists in Perl that is triggered during the handling of variables that appear twice in the environment (envp), causing the last value to appear in %ENV, while getenv would return the first. An unauthenticated, remote attacker can exploit this to cause variables to be incorrectly propagated to subprocesses, regardless of the protections offered by taint checking. (CVE-2016-2381) - A denial of service vulnerability exists in the Apache Commons FileUpload component due to improper handling of boundaries in content-type headers when handling file upload requests. An unauthenticated, remote attacker can exploit this to cause processes linked against the library to become unresponsive. (CVE-2016-3092) - A man-in-the-middle vulnerability exists in various components, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) - An unspecified flaw exists in the UI Framework component that allows authenticated, remote attacker to have an impact on integrity. (CVE-2017-10091)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 101837
    published 2017-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101837
    title Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)
refmap via4
bid
  • 91068
  • 91787
confirm
jvn JVN#03188560
jvndb JVNDB-2016-000096
sectrack 1036056
Last major update 28-11-2016 - 14:58
Published 04-07-2016 - 18:59
Last modified 13-02-2019 - 15:21
Back to Top