close
close

IT Security: Vulnerable Linux, UNIX and Windows – Replace IT Security Alert about Apache Struts (Risk: Medium)

As BSI has investigated, an IT security alert for a number of identified vulnerabilities in Apache Struts has been replaced. You can read here how involved customers should behave.

Federal workplace for Security on Information Technology (BSI) released a replacement on May 16, 2024 for the Apache Struts security vulnerability identified on May 6, 2014. The security issue affects Linux, UNIX and Windows working techniques and Red Hat Enterprise Linux merchandise, Red Hat Network Satellite Server, Oracle Primavera, Debian Linux, Oracle Retail Invoice Matching, SUSE Linux, Red Hat Enterprise Linux Desktop, Red Hat JBoss Fuse, Apache Struts, Oracle Retail Allocation, Oracle Retail Clearance Optimization Engine, Oracle Retail Markdown Optimization, HPE XP P9000 Command View Advanced Edition, Oracle Linux, HPE SiteScope, NetApp OnCommand Unified Manager, and IBM Operational Decision Manager.

The latest vendor suggestions for updates, fixes, and security patches for this vulnerability can be found here: IBM Security Bulletin 7153639 (As of May 17, 2024). Some useful tools are listed later in this article.

Apache Struts Security Advisory – Risk: Medium

Risk phase: 4 (fair)
CVSS baseline score: 7.3
CVSS preliminary rating: 6.4
Remote management: Yes

The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of vulnerabilities in PC technologies. The CVSS standard makes it possible to monitor potential or precise security risks, usually against varying standards, with a view to prioritizing countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to determine the severity of the vulnerability. The Basic Score evaluates the need for an attack (along with authentication, complexity, privileges, consumer interaction) and its outcomes. For a non-permanent impact, the test takes into account body situations that will change over time. According to CVSS, the current vulnerability threat is rated as “fair” with a base score of seven.3.

Apache Struts Bug: Vulnerability could allow arbitrary software code to be executed with service privileges

Struts is a framework for Java functions on the Apache Internet server.

A remote, unknown attacker could exploit a vulnerability in Apache Struts to execute arbitrary code via service permissions.

Vulnerabilities are recognized by a new serial numbering of CVE (Common Vulnerabilities and Exposures). CVE-2014-0114 on the market.

Systems affected by the security hole at a glance

Surgical techniques
Linux, UNIX, Windows

Products
Red Hat Enterprise Linux 5 (cpe:/o:redhat:enterprise_linux)
Red Hat Satellite Server (cpe:/h:redhat:network_satellite_server)
Oracle Primavera (cpe:/a:oracle:primavera_portfolio_management)
Debian Linux Wheezy (7.0) (cpe:/o:debian:debian_linux)
Oracle Retail Invoice Matching 11.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 12.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 12.0 IN (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 12.1 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 13.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 13.2 (cpe:/a:oracle:retail_invoice_matching)
SUSE Linux (cpe:/o:use:suse_linux)
Red Hat Enterprise Linux Desktop 5 (cpe:/o:redhat:enterprise_linux_desktop)
Red Hat JBoss Fuse (cpe:/a:redhat:jboss_fuse)
Apache Struts 1 (cpe:/a:apache:struts)
Oracle Retail Allocation 10.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 11.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 12.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 13.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 13.1 (cpe:/a:oracle:retail_allocation)
Oracle Retail Clearance Optimization Engine 13.3 (cpe:/a:oracle:retail_clearance_optimization_engine)
Oracle Retail Clearance Optimization Engine 13.4 (cpe:/a:oracle:retail_clearance_optimization_engine)
Oracle Retail Clearance Optimization Engine 14.0 (cpe:/a:oracle:retail_clearance_optimization_engine)
Oracle Retail Invoice Matching 14.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Markdown Optimization 12.0 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.0 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.2 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.4 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.1 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Allocation 13.2 (cpe:/a:oracle:retail_allocation)
HPE XP P9000 Command View Advanced Edition (cpe:/a:hp:xp_p9000_command_view_advanced_edition)
Oracle Linux (cpe:/o:oracle:linux)
HPE SiteScope (cpe:/a:hp:sitescope)
NetApp OnCommand Unified Manager (cpe:/a:netapp:oncommand_unified_manager)
IBM Operational Decision Manager 8.10 (cpe:/a:ibm:operational_decision_manager)
IBM Operational Decision Manager 8.11 (cpe:/a:ibm:operational_decision_manager)

General suggestions for addressing IT security gaps

  1. Users of affected techniques should stay informed. When security holes are identified, manufacturers must quickly fix them by applying a patch or a workaround. When new security updates are found, you can set them up immediately.
  2. For more information, see the resources in the next section. Typically, this includes additional details about the latest model of the software program in question and providing security patches or efficiency ideas.
  3. If you have any questions or concerns, please contact your responsible administrator. IT security managers should regularly investigate whether this is the case IT security alert Affected manufacturers present a brand new safety replacement.

Resources for updates, patches, and fixes

Here you will see some hyperlinks detailing bug studies, security fixes and workarounds.

IBM Security Bulletin 7153639 dated 05-17-2024 (16.05.2024)
For additional information, see:

IBM Security Bulletin 6982881 dated 12-04-2023 (11.04.2023)
For additional information, see:

Oracle Linux Security Advisory ELSA-2020-0194 dated 24-04-2020 (23.04.2020)
For additional information, see:

Red Hat Security Advisory RHSA-2019:2995 vom 2019-10-10 (09.10.2019)
For additional information, see:

NetApp advice number NTAP-20140911-0001 dated 06-04-2017 (06.04.2017)
For additional information, see:

HP Security Bulletin HPSBGN03669 dated 11/07/2016 (06.11.2016)
For additional information, see:

HP security bulletin c04473828 dated 10/14/2014 (14.10.2014)
For additional information, see:

Advice appendix Oracle Critical Patch Update Retail Applications dated 14-10-2014 (14.10.2014)
For additional information, see:

Debian Security Advisory DSA-2940-1 dated 21-08-2014 (21.08.2014)
For additional information, see:

SUSE Security Update: Security update for Struts (15.07.2014)
For additional information, see:

Red Hat Security Advisory RHSA-2014:0511-1 vom 2014-05-15 (15.05.2014)
For additional information, see:

Red Hat Security Advisory RHSA-2014:0500-1 dated 2014-05-14 (14.05.2014)
For additional information, see:

Red Hat Security Advisory RHSA-2014:0498-1 vom 2014-05-14 (14.05.2014)
For additional information, see:

Red Hat Security Advisory RHSA-2014:0497-1 vom 2014-05-14 (14.05.2014)
For additional information, see:

Red Hat Security Advisory RHSA-2014:0474-1 vom 2014-05-07 (06.05.2014)
For additional information, see:

Historical past version of this security alert

This is Model 21 of this Apache Struts IT Security Notice. This document will likely be updated as additional updates are introduced. You can view changes or additions to this model’s historical past.

06.05.2014 – Original edition
May 6, 2014 – Version not available
May 6, 2014 – Version not available
May 6, 2014 – Version not available
15.05.2014 – New repair available
May 15, 2014 – Version not available
15.07.2014 – New repair available
July 15, 2014 – Version not available
21.08.2014 – New repair available
21/08/2014 – Version not available
21/08/2014 – Version not available
21/08/2014 – Version not available
21/08/2014 – Version not available
06.11.2016 – New repair available
11/06/2016 – Version not available
06.04.2017 – n
April 6, 2017 – Version not available
10/09/2019 – New updates from Red Hat have been added
April 23, 2020 – New updates added to Oracle Linux
April 11, 2023 – New updates from IBM added
May 16, 2024 – New updates from IBM added

+++ Editor’s note: This document is based on current BSI information and is likely to be kept up to date via a data-driven method depending on the status of the alert. Suggestions and feedback are welcome at (email protected). +++

comply with News.de you are here Facebook, Tweet, Pinterest again YouTube? Here you see that exciting information, available videos and a direct line to the editors.

kns/roj/information.de