Published:2014/04/25  Last Updated:2015/03/18

JVN#19294237
Apache Struts vulnerable to ClassLoader manipulation

Overview

Apache Struts contains a vulnerability where the ClassLoader may be manipulated.

Products Affected

  • Apache Struts 2.0.0 to 2.3.16.1

Description

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.

Impact

On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.

Solution

Update the Software
On 2014 April 25, Apache Struts 2.3.16.2 which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.

Apply a Workaround
If Apache Struts 2.3.16.2 cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.

  • If there is a customized reference to the params interceptor, then properly configure excludeParams
  • If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured

References

  1. IPA
    [Updated] Security Alert for Vulnerability in the "Apache Struts2" (CVE-2014-0094)(S2-020)
  2. CERT/CC Vulnerability Note VU#719225
    Apache Struts2 ClassLoader allows access to class properties via request parameters

JPCERT/CC Addendum

It is reported that Apache Struts 1.x which has reached to its End-Of-Life (EOL) contains a similar vulnerability.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2014.04.25 (CVSS Base Metrics)

What is CVSS?

Measures Severity Description
Access Vector(AV) Local (L) Adjacent Network (A) Network (N) A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable".
Access Complexity(AC) High (H) Medium (M) Low (L) Specialized access conditions or extenuating circumstances do not exist.
Authentication(Au) Multiple (M) Single (S) None (N) Authentication is not required to exploit the vulnerability.
Confidentiality Impact(C) None (N) Partial (P) Complete (C) There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained.
Integrity Impact(I) None (N) Partial (P) Complete (C) Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.
Availability Impact(A) None (N) Partial (P) Complete (C) There is reduced performance or interruptions in resource availability.

Base Score:7.5

Credit

NTT-CERT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-0094
CVE-2014-0112
JVN iPedia JVNDB-2014-000045

Update History

2014/04/25
Change information under "Solution"
2014/04/28
Sections under [Products Affected], [Solution], and [Vendor Status] have been updated.
2014/04/30
Information under the section "Products Affected", "References" and "JPCERT/CC Addendum" were updated.
2015/03/18
NEC Corporation and Cybozu, Inc. update status