As BSI studies, an IT safety alert a couple of identified vulnerability in Apache Struts has acquired an replace. You can learn how affected customers ought to behave right here.
Federal workplace for Security on Information Technology (BSI) issued an replace on May 16, 2024 for the Apache Struts safety vulnerability identified on May 6, 2014. The safety vulnerability impacts Linux, UNIX and Windows working techniques and Red Hat Enterprise Linux merchandise , Red Hat Network Satellite Server, Oracle Primavera, Debian Linux, Oracle Retail Invoice Matching, SUSE Linux, Red Hat Enterprise Linux Desktop, Red Hat JBoss Fuse, Apache Struts , Oracle Retail Allocation, Oracle Retail Clearance Optimization Engine, Oracle Retail Markdown Optimization, HPE XP P9000 Command View Advanced Edition, Oracle Linux, HPE SiteScope, NetApp OnCommand Unified Manager and IBM Operational Decision Manager.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: IBM Security Bulletin 7153639 (From 17 May 2024). Some helpful assets are listed later on this article.
Apache Struts Security Advisory – Risk: Medium
Risk stage: 4 (reasonable)
CVSS Base Score: 7.3
CVSS provisional rating: 6,4
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of vulnerabilities in pc techniques. The CVSS commonplace makes it doable to check potential or precise safety dangers based mostly on varied standards with a view to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. For non permanent impact, body situations that will change over time are thought-about within the take a look at. According to CVSS, the present vulnerability menace is assessed as “reasonable” with a base rating of seven.3.
Apache Struts Bug: Vulnerability permits arbitrary software code to be executed with service privileges
Struts is a framework for Java functions on the Apache internet server.
A distant, unknown attacker might exploit a vulnerability in Apache Struts to execute arbitrary code by way of service permissions.
Vulnerabilities are recognized by a novel CVE (Common Vulnerabilities and Exposures) serial quantity. CVE-2014-0114 on the market.
Systems affected by the safety hole at a look
Operating techniques
Linux, UNIX, Windows
Products
Red Hat Enterprise Linux 5 (cpe:/o:redhat:enterprise_linux)
Red Hat Satellite Server (cpe:/h:redhat:network_satellite_server)
Oracle Primavera (cpe:/a:oracle:primavera_portfolio_management)
Debian Linux Wheezy (7.0) (cpe:/o:debian:debian_linux)
Oracle Retail Invoice Matching 11.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 12.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 12.0 IN (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 12.1 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 13.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Invoice Matching 13.2 (cpe:/a:oracle:retail_invoice_matching)
SUSE Linux (cpe:/o:use:suse_linux)
Red Hat Enterprise Linux Desktop 5 (cpe:/o:redhat:enterprise_linux_desktop)
Red Hat JBoss Fuse (cpe:/a:redhat:jboss_fuse)
Apache Struts 1 (cpe:/a:apache:struts)
Oracle Retail Allocation 10.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 11.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 12.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 13.0 (cpe:/a:oracle:retail_allocation)
Oracle Retail Allocation 13.1 (cpe:/a:oracle:retail_allocation)
Oracle Retail Clearance Optimization Engine 13.3 (cpe:/a:oracle:retail_clearance_optimization_engine)
Oracle Retail Clearance Optimization Engine 13.4 (cpe:/a:oracle:retail_clearance_optimization_engine)
Oracle Retail Clearance Optimization Engine 14.0 (cpe:/a:oracle:retail_clearance_optimization_engine)
Oracle Retail Invoice Matching 14.0 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Markdown Optimization 12.0 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.0 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.2 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.4 (cpe:/a:oracle:retail_markdown_optimization)
Oracle Retail Markdown Optimization 13.1 (cpe:/a:oracle:retail_invoice_matching)
Oracle Retail Allocation 13.2 (cpe:/a:oracle:retail_allocation)
HPE XP P9000 Command View Advanced Edition (cpe:/a:hp:xp_p9000_command_view_advanced_edition)
Oracle Linux (cpe:/o:oracle:linux)
HPE SiteScope (cpe:/a:hp:sitescope)
NetApp OnCommand Unified Manager (cpe:/a:netapp:oncommand_unified_manager)
IBM Operational Decision Manager 8.10 (cpe:/a:ibm:operational_decision_manager)
IBM Operational Decision Manager 8.11 (cpe:/a:ibm:operational_decision_manager)
General suggestions for addressing IT safety gaps
- Users of affected techniques ought to keep up-to-date. When safety holes are identified, producers are required to repair them shortly by growing a patch or workaround. When new safety updates can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This usually incorporates extra details about the most recent model of the software program in query and the provision of safety patches or efficiency ideas.
- If you could have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to recurrently examine if IT safety alert Affected producers present a brand new safety replace.
Sources for updates, patches and workarounds
Here you will see that some hyperlinks with details about bug studies, safety fixes and workarounds.
IBM Security Bulletin 7153639 vom 2024-05-17 (16.05.2024)
For extra info, see:
IBM Security Bulletin 6982881 vom 2023-04-12 (11.04.2023)
For extra info, see:
Oracle Linux Security Advisory ELSA-2020-0194 vom 2020-04-24 (23.04.2020)
For extra info, see:
Red Hat Security Advisory RHSA-2019:2995 vom 2019-10-10 (09.10.2019)
For extra info, see:
NetApp Advisory Number NTAP-20140911-0001 vom 2017-04-06 (06.04.2017)
For extra info, see:
HP Security Bulletin HPSBGN03669 vom 2016-11-07 (06.11.2016)
For extra info, see:
HP Security Bulletin c04473828 vom 2014-10-14 (14.10.2014)
For extra info, see:
Oracle Critical Patch Update Advisory Appendix Retail Applications vom 2014-10-14 (14.10.2014)
For extra info, see:
Debian Security Advisory DSA-2940-1 vom 2014-08-21 (21.08.2014)
For extra info, see:
SUSE Security Update: Security Update fĆ¼r Struts (15.07.2014)
For extra info, see:
Red Hat Security Advisory RHSA-2014:0511-1 vom 2014-05-15 (15.05.2014)
For extra info, see:
Red Hat Security Advisory RHSA-2014:0500-1 vom 2014-05-14 (14.05.2014)
For extra info, see:
Red Hat Security Advisory RHSA-2014:0498-1 vom 2014-05-14 (14.05.2014)
For extra info, see:
Red Hat Security Advisory RHSA-2014:0497-1 vom 2014-05-14 (14.05.2014)
For extra info, see:
Red Hat Security Advisory RHSA-2014:0474-1 vom 2014-05-07 (06.05.2014)
For extra info, see:
Version historical past of this safety alert
This is model 21 of this Apache Struts IT Security Notice. This doc will likely be up to date as extra updates are introduced. You can examine modifications or additions on this model historical past.
06.05.2014 – Original Release
May 6, 2014 – Version not obtainable
May 6, 2014 – Version not obtainable
May 6, 2014 – Version not obtainable
15.05.2014 – New repair obtainable
May 15, 2014 – Version not obtainable
15.07.2014 – New repair obtainable
July 15, 2014 – Version not obtainable
21.08.2014 – New repair obtainable
08/21/2014 – Version not obtainable
08/21/2014 – Version not obtainable
08/21/2014 – Version not obtainable
08/21/2014 – Version not obtainable
06.11.2016 – New repair obtainable
11/06/2016 – Version not obtainable
06.04.2017 – n
April 6, 2017 – Version not obtainable
10/09/2019 – New updates from Red Hat have been added
April 23, 2020 – Added new updates to Oracle Linux
April 11, 2023 – Added new updates from IBM
May 16, 2024 – New updates from IBM added
+++ Editorial observe: This doc relies on present BSI information and will likely be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you will see that sizzling information, present movies and a direct line to the editorial crew.
kns/roj/information.de