Apache Struts 1.2.9 with SP3 by TERASOLUNA

Introduction

Fixed the unexpected event occur in Apache Struts1 (CVE-2016-1181)(CVE-2016-1182) and provided Apache Struts 1.2.9 with Security Patch 3 contributed by TERASOLUNA (hereinafter referred to as, Struts 1.2.9 sp3) under the Apache License, Version 2.0 for TERASOLUNA Server Framework for Java that uses Apache Struts 1.2.9 sp2 in TERASOLUNA framework version 2 system.

• CVE-2016-1181
• CVE-2016-1182

TERASOLUNA Server Framework for Java uses Apache Struts 1.2.9 sp2 in TERASOLUNA framework version 2 system. Unexpected events may occur during a processing of the request information in Apache Struts 1.2.9 sp2. As a measure for this issue, apply the Struts 1.2.9 sp3.

Furthermore, the improvement of the TERASOLUNA Server Framework for Java 2 will be released during May 2016.

Struts 1.2.9 sp3

In Struts 1.2.9 sp3, the following changes have been done on Struts 1.2.9 sp2.

• Source Code Diff (struts-1.2.9-sp3-diff.zip)

Build procedure from source-code

Below is the procedure to build the source code of struts-1.2.9-sp3 and create struts.jar file.

1. 1.Install JDK1.3.1_04
   
2. Install apache-ant-1.6.1 and addition of libraries
   Deploy apache-ant-1.6.1 and add the following libraries under lib folder of ant.
   • commons-logging-1.0.4.jar
   • junit-3.8.1.jar
   • xalan-2.5.1.jar
3. Deploy source code of struts-1.2.9-sp3
   Unzip the zip file of source code in the directory of choice. Create lib folder in the struts-1.2.9-sp3-src folder.
4. Deploy the jar files required for build
   Place the below jar files in the directory of choice.
   • antlr-2.7.2.jar
   • checkstyle-2.4.jar
   • commons-beanutils-1.7.0.jar
   • commons-digester-1.6.jar
   • commons-fileupload-1.0.jar
   • commons-logging-1.0.4.jar
   • commons-validator-1.1.4.jar
   • junit-3.8.1.jar
   • log4j-1.2.14.jar
   • servletapi-2.3.jar
   • xerces-1.4.4.jar
   • oro-2.0.7.jar
   • jakarta-taglibs-standard-1.0
     • jstl.jar
     • standard.jar
   • jakarta-tomcat-4.0.6
     • jdbc2_0-stdext.jar
5. Create configuration file for build
   Rename build.properties.sample to build.properties and change the paths in the file according to your own environment.
6. Environment settings for build
   Set the below environment variables according to your own environment.
   • JAVA_HOME
   • ANT_HOME
7. Build using ant

Download

• Binary File (struts.jar)
• Source Code (struts-1.2.9-sp3-src.zip)
• Source Code Diff (struts-1.2.9-sp3-diff.zip)

Reference

CVE - CVE-2016-1181
JVN - JVN#03188560

CVE - CVE-2016-1182
JVN - JVN#65044642

Disclaimer

Unless required by applicable law or agreed to in writing, Struts 1.2.9 sp3 distributed under the Apache License, Version 2.0 is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Apache License, Version 2.0 for the specific language governing permissions and limitations under the License.

• Apache License, Version 2.0
  http://www.apache.org/licenses/LICENSE-2.0

※ TERASOLUNA is a registered trademark or trademark of NTT DATA Corporation in Japan and other countries. ※ Other company names, product names and service names mentioned are trademarks or registered trademarks of the respective companies(owners).