JVN#19294237
Apache Struts vulnerable to ClassLoader manipulation
Overview
Apache Struts contains a vulnerability where the ClassLoader may be manipulated.
Products Affected
- Apache Struts 2.0.0 to 2.3.16.1
Description
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.
Impact
On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.
Solution
Update the Software
On 2014 April 25, Apache Struts 2.3.16.2 which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.
Apply a Workaround
If Apache Struts 2.3.16.2 cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.
- If there is a customized reference to the params interceptor, then properly configure excludeParams
- If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Not Vulnerable | 2015/03/17 | |
| NEC Corporation | Vulnerable | 2015/01/20 |
References
-
IPA
[Updated] Security Alert for Vulnerability in the "Apache Struts2" (CVE-2014-0094)(S2-020) -
CERT/CC Vulnerability Note VU#719225
Apache Struts2 ClassLoader allows access to class properties via request parameters
JPCERT/CC Addendum
It is reported that Apache Struts 1.x which has reached to its End-Of-Life (EOL) contains a similar vulnerability.
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.04.25 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions or extenuating circumstances do not exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is reduced performance or interruptions in resource availability. |
Base Score:7.5
Credit
NTT-CERT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-0094 |
|
CVE-2014-0112 |
|
| JVN iPedia |
JVNDB-2014-000045 |
Update History
- 2014/04/25
- Change information under "Solution"
- 2014/04/28
- Sections under [Products Affected], [Solution], and [Vendor Status] have been updated.
- 2014/04/30
- Information under the section "Products Affected", "References" and "JPCERT/CC Addendum" were updated.
- 2015/03/18
- NEC Corporation and Cybozu, Inc. update status