Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)

Vulnerability Details

CVEID:   CVE-2011-1772
DESCRIPTION:   Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/67354 for the current score.
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-0838
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/73690 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2014-7809
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass cross-site request forgery security measures.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/98963 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2011-5057
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to block access to the session map by the org.apache.struts2.interceptor.SessionAware or org.apache.struts2.interceptor.RequestAware interfaces. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to modify the session map.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/71654 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-4387
DESCRIPTION:   Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/78183 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2012-1006
DESCRIPTION:   Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the editPerson.action and struts2-rest-showcase/orders scripts. A remote attacker could exploit this vulnerability using the name, lastName or clientNape parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72888 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-0392
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72088 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2014-0094
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92205 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2019-0233
DESCRIPTION:   Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2013-1965
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85573 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2014-0112
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92740 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2013-2134
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84762 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2016-3081
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/112528 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2014-0113
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/92742 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2013-2135
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84763 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2019-0230
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186702 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2013-4316
DESCRIPTION:   An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/87373 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID:   CVE-2012-0391
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72229 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2012-0393
DESCRIPTION:   Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72089 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-4386
DESCRIPTION:   Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of the token name configuration parameter by the token handling mechanism. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/78182 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2016-4003
DESCRIPTION:   Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/111514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2016-3093
DESCRIPTION:   Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/113686 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2013-4310
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the action: parameter prefix. An attacker could exploit this vulnerability to gain unauthorized access to the system.
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/87336 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID:   CVE-2014-0116
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly restrict access to the getClass() method by the CookieInterceptor class. An attacker could exploit this vulnerability to manipulate the ClassLoader used by the application server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93024 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2010-1870
DESCRIPTION:   XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/60371 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2020-17530
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192743 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2016-3082
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/112527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2016-4436
DESCRIPTION:   An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/114183 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2013-2251
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating the action:, redirect:, and redirectAction: parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary commands on the system. Note: This vulnerability affects other products.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85756 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2017-12611
DESCRIPTION:   Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/131603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2015-5209
DESCRIPTION:   Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106695 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2013-2115
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84543 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2013-1966
DESCRIPTION:   Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84542 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2013-2248
DESCRIPTION:   Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85755 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2015-2992
DESCRIPTION:   Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when directly accessing JSP files. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106172 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2015-5169
DESCRIPTION:   Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/105879 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)