Vulnerability Name:

CVE-2016-4461 (CCN-133514)

Assigned:2016-05-13
Published:2016-05-13
Updated:2019-05-01
Summary:Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Note: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2016-4461

Source: CCN
Type: IBM Security Bulletin S1010778 (FlashSystem V840)
Vulnerability in Apache Struts affects the IBM FlashSystem model V840

Source: CCN
Type: IBM Security Bulletin S1010779 (FlashSystem 840)
Security Bulletin: Vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900

Source: CCN
Type: IBM Security Bulletin S1010883 (Storwize V7000 (2076))
Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2016-4461)

Source: BID
Type: Third Party Advisory, VDB Entry
91277

Source: CCN
Type: BID-91277
Apache Struts Incomplete Fix Remote Code Execution Vulnerability

Source: XF
Type: UNKNOWN
apache-cve20164461-code-exec(133514)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20180629-0004/

Source: CCN
Type: Apache Struts 2 Documentation S2-036
Possible Remote Code Execution vulnerability

Source: CONFIRM
Type: Mitigation, Vendor Advisory
https://struts.apache.org/docs/s2-036.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:struts:*:*:*:*:*:*:*:* (Version >= 2.0.0 and < 2.3.29)

    • Configuration 2:
  • cpe:/a:netapp:oncommand_balance:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:struts:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.13:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.14:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.13:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.14:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.15:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.16:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.20:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.24:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:struts:2.3.28:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:storwize_v7000_software:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:6.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:6.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.4:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:flashsystem_v840:-:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:flashsystem_v840:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.trusty:def:20164461000
    V
    		CVE-2016-4461 on Ubuntu 14.04 LTS (trusty) - high.
    2017-10-16
    BACK
    apache struts *
    netapp oncommand balance -
    apache struts 2.0.0
    apache struts 2.0.12
    apache struts 2.0.13
    apache struts 2.0.14
    apache struts 2.0.2
    apache struts 2.0.3
    apache struts 2.0.4
    apache struts 2.0.7
    apache struts 2.1.0
    apache struts 2.1.1
    apache struts 2.1.2
    apache struts 2.1.3
    apache struts 2.1.4
    apache struts 2.1.5
    apache struts 2.1.6
    apache struts 2.1.8
    apache struts 2.1.8.1
    apache struts 2.2.1
    apache struts 2.2.1.1
    apache struts 2.2.3
    apache struts 2.3.1
    apache struts 2.3.14.3
    apache struts 2.3.13
    apache struts 2.3.14
    apache struts 2.3.15
    apache struts 2.3.15.3
    apache struts 2.2.3.1
    apache struts 2.3.8
    apache struts 2.3.7
    apache struts 2.3.4.1
    apache struts 2.3.4
    apache struts 2.3.3
    apache struts 2.3.1.2
    apache struts 2.3.1.1
    apache struts 2.3.12
    apache struts 2.3.14.2
    apache struts 2.3.14.1
    apache struts 2.3.15.1
    apache struts 2.3.16
    apache struts 2.3.15.2
    apache struts 2.3.16.1
    apache struts 2.3.16.2
    apache struts 2.3.16.3
    apache struts 2.3.20
    apache struts 2.3.24
    apache struts 2.3.24.1
    apache struts 2.3.28
    ibm storwize v7000 software 6.1
    ibm storwize v7000 software 6.2
    ibm storwize v7000 software 6.3
    ibm storwize v7000 software 6.4
    ibm storwize v7000 software 7.1
    ibm storwize v7000 software 7.2
    ibm storwize v7000 software 7.3
    ibm storwize v7000 software 7.4
    ibm flashsystem v840 -
    ibm flashsystem v840 -
    ibm storwize v7000 software 7.5
    ibm storwize v7000 software 7.6
    ibm storwize v7000 software 7.6.1
    ibm storwize v7000 software 7.7