5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.971 High
EPSS
Percentile
99.8%
Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters
Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters. This vulnerability was previously attempted to be addressed in S2-020 ClassLoader manipulation via request parameters. Unfortunately, the correction wasn’t sufficient.
Struts2 provides a mapping between Web parameters and Java methods. So an attacker could invoke a specific method on a remote Java server by specifying it in a URL. All Java objects have a getClass() method, which returns the object’s Class (this object represents classes). Every Class has a ClassLoader, which is the class that loaded the initial class; an attacker could access the ClassLoader using the Class.getClassLoader() method.
An unauthenticated attacker could manipulate the ClassLoader into disclosing private Class information or possibly load a malicious class file.
Update
The Apache Struts group has released Struts 2.3.16.2 as a “General Availability” release to address this vulnerability. The Apache Struts group is advising all developers to update.
The vendor has stated the following workaround:
_A security fix release fully addressing this issue is in preparation and will be released as soon as possible.
Once the release is available, all Struts2 users are strongly recommended to update their installations._
In your _struts.xml_
, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern found at the beginning of the excludeParams list:
`<interceptor-ref name=“params”>
<param name=“excludeParams”>(..|^|.|[(‘|"))(c|C)lass(.|(’|")]|[).,^dojo..,^struts..,^session..,^request..,^application..,^servlet(Request|Response)..,^parameters..,^action:.,^method:.</param>
</interceptor-ref>
If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration as in the following example. Given you are using defaultStack so far, change your packages from
<package name=“default” namespace=“/” extends=“struts-default”>
<default-interceptor-ref name=“defaultStack” />
…
…
</package>`
to
`<package name=“default” namespace=“/” extends=“struts-default”>
<interceptors>
<interceptor-stack name=“secureDefaultStack”>
<interceptor-ref name=“defaultStack”>
<param name=“params.excludeParams”>(..|^|.|[(‘|"))(c|C)lass(.|(’|")]|[).,^dojo..,^struts..,^session..,^request..,^application..,^servlet(Request|Response)..,^parameters..,^action:.,^method:.</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name=“secureDefaultStack” />
…
</package> `
719225
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 25, 2014
Affected
A security fix release fully addressing this issue is in preparation and will be released as soon as possible.
Once the release is available, all Struts 2 users are strongly recommended to update their installations.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.5 | E:H/RL:OF/RC:C |
Environmental | 6.9 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was publicly reported by Apache Struts2.
This document was written by Michael Orlando and David Svoboda.
CVE IDs: | CVE-2014-0094 |
---|---|
Date Public: | 2014-04-24 Date First Published: |