CVE-2006-1547

What is Apache Struts 1?

Apache Struts 1 was one of the most widely adopted Java web application frameworks of the 2000s, providing an MVC (Model-View-Controller) architecture for building enterprise Java web applications. It was particularly prevalent in banking, insurance, government, and enterprise portal applications built during the 2003–2010 era. Apache Struts 1 reached end-of-life in April 2013 with the release of the final version 1.3.10, but applications built on it persisted in production for years — even decades — afterward. The ActionForm component was central to Struts 1's request handling, acting as a Java bean that captured HTTP request parameters for form processing.

Overview

CVE-2006-1547 is a denial-of-service vulnerability (CVSS 7.5, availability-only impact) in Apache Struts 1's ActionForm component when used with Apache Commons BeanUtils 1.7. A remote unauthenticated attacker could send a specially crafted HTTP request that triggered a NullPointerException in the form validation logic, crashing the request handling thread and potentially the entire application. Fixed in Struts 1.2.9, this vulnerability was added to CISA KEV in January 2022 — one of the inaugural entries in the catalog. Notably, CISA granted an unusually long six-month remediation deadline (July 2022), reflecting the DoS-only impact and recognizing the complexity of updating legacy Struts 1 applications.

Affected Versions

Note: Apache Struts 1 has been end-of-life since April 2013. Organizations still running Struts 1 applications should plan migration to a supported framework.

Technical Details

The vulnerability exists in how Apache Struts 1 ActionForms used Apache Commons BeanUtils for property introspection. When Struts processes an HTTP request, it uses BeanUtils to populate an ActionForm bean with the request parameters — iterating over parameter names, finding matching getter/setter methods on the form bean, and setting the values.

In BeanUtils 1.7, when an HTTP parameter name contained a certain pattern (such as a property path with an empty component or a crafted expression), the introspection code attempted to access a null reference during property resolution, throwing a NullPointerException. Because this exception propagated up through Struts' request processing pipeline without being caught, it could crash the processing thread, disrupt active sessions, and in some configurations cause the entire web application to become unresponsive.

The attack required no authentication — any HTTP request to a Struts 1 application with crafted parameter names could trigger the crash. A sustained attack would keep the application unavailable through repeated requests.

Discovery

Reported to the Apache Struts project during the Struts 1.2.x development cycle. The vulnerability was specific to the interaction between Struts 1's form handling and Apache Commons BeanUtils 1.7's property introspection behavior. The fix in Struts 1.2.9 included improved handling of malformed property expressions to prevent the null pointer condition.

Exploitation Context

The KEV inclusion reflects ongoing exploitation of Struts 1 applications in production environments over 15 years after the framework's end-of-life:

• Legacy Java web applications: Enterprise applications — particularly in financial services, insurance, and government — built on Struts 1 in the mid-2000s often ran for decades with minimal updates. These applications regularly ran vulnerable Struts versions because upgrading a Struts 1 application to Struts 2 or a different framework required significant code rewrites.
• DoS as an attack enabler: While this vulnerability only causes denial-of-service, crashing a web application can be used to disrupt business operations, force failover to less-secured backup systems, or distract security operations while other attacks proceed.
• Struts ecosystem vulnerabilities: Struts 1 and Struts 2 accumulated numerous high-severity vulnerabilities, including remote code execution (CVE-2017-5638 in Struts 2, which caused the Equifax breach). CVE-2006-1547 was added to KEV alongside other Struts vulnerabilities as CISA catalogued the Struts ecosystem's exploitation history.

Remediation

1. Upgrade Apache Struts to 1.2.9 or later: If still running Struts 1.x, ensure the version is at least 1.2.9. Note that Struts 1 is end-of-life.
2. Migrate off Apache Struts 1: Plan and execute migration of Struts 1 applications to a supported framework (Spring MVC, Struts 2 with up-to-date patches, Jakarta EE, etc.). Struts 1 will never receive security fixes.
3. Update Apache Commons BeanUtils: Ensure BeanUtils is updated to 1.8.0 or later, which contains additional defensive property introspection handling.
4. Web Application Firewall: Deploy a WAF rule to detect and block requests with malformed parameter names targeting Struts ActionForms as a temporary compensating control.
5. Application monitoring: Monitor application logs for NullPointerException storms or sudden availability drops that could indicate exploitation or reconnaissance.