CVE-2016-3081 Apache Struts 2 security vulnerability

Related Vulnerabilities: CVE-2016-3081  


My AccountForcepoint Support Site Guest User (Logout)Community

My Account Visitor(login)Community

CVE-2016-3081 Apache Struts 2 security vulnerability

  • Article Number: 000008684
  • Products: Email Security Gateway, Forcepoint I Series Appliance, Forcepoint V10000 Appliance, Forcepoint V5000 Appliance, Forcepoint X Series Appliance, Insider Threat, Next Generation Firewall (NGFW), Sidewinder, TRITON RiskVision, Threat Protection, Threat Protection for Linux, Web Filter & Security, Web Security Gateway, Web Security and Web Filter
  • Version:
  • Last Published Date: May 16, 2016

Problem Description

The following security vulnerability has been under investigation by Forcepoint Engineering since May 2, 2016.

Last update: May 16, 2016

Description of vulnerability

From CVE website: Apache Struts 2.x before, 2.3.24.x before, and 2.3.28.x before, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

The Apache Struts 2 documentation site describes the vulnerability as follows in its Security Bulletin S2-032:

It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.

See for more details.

What is the risk to Forcepoint products?

The following are considered not vulnerable:
  • Data Security Suite, TRITON AP-DATA
  • TRITON management server
  • i-Series Appliance
  • TRITON AP-EMAIL and Email Security Gateway
  • TRITON AP-WEB (on-premises) and Web Security Gateway
  • V-Series and X-Series Appliance platforms
  • Web Filter, Web Security
  • RiskVision
  • SureView Insider Threat
  • SureView Threat Protection
  • Threat Protection for Linux
  • Sidewinder
  • Stonesoft Next Generation Firewall
  • TRITON AP-EMAIL (cloud) and TRITON AP-WEB (cloud)

You must answer this question.

This form submits information to the Support website maintenance team.

  • To communicate with your Technical Support Representative about a case, please visit the Case Details page and submit a case comment, or call your representative. Comments submitted here will not be added to your case communications.
  • To file a site categorization request, please to go and submit the URL you would like to see recategorized. On the resulting report, click the "Suggest a different categorization" link. Comments submitted here will not recategorize your website.

This field is required.
This field is required.

up to 2000 characters

This field is required.