Bugzilla – Bug 924887
VUL-0: CVE-2015-0899: struts: Apache Struts 1: input validation bypass in MultiPageValidator
Last modified: 2016-03-13 17:32:17 UTC
via rh bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1207099 The following flaw was found in Apache Struts 1: The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly. Upstream advisory: http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html https://jvn.jp/en/jp/JVN86448949/index.html Upstream patches: http://en.sourceforge.jp/projects/terasoluna/wiki/StrutsPatch2-ENac
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61381
currently no bugowner set. bnc-team-java previously.
bugbot adjusting priority
Created attachment 629559 [details] Patch taken from the above page and rebased
Submission sent to SLE11.
SUSE-SU-2015:0886-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 924887 CVE References: CVE-2015-0899 Sources used: SUSE Manager Server (src): struts-1.2.9-162.37.1 SUSE Manager 1.7 for SLE 11 SP2 (src): struts-1.2.9-162.37.1 SUSE Linux Enterprise Software Development Kit 11 SP3 (src): struts-1.2.9-162.37.1
fixed