JVN#19294237: Apache Struts vulnerable to ClassLoader manipulation

2014-04-25T00:00:00
ID JVN:19294237
Type jvn
Reporter Japan Vulnerability Notes
Modified 2015-03-18T00:00:00

Description

## Description

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.

## Impact

On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.

## Solution

Update the Software
On 2014 April 25, Apache Struts 2.3.16.2 which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.

Apply a Workaround
If Apache Struts 2.3.16.2 cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.

  • If there is a customized reference to the params interceptor, then properly configure excludeParams
  • If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured

## Products Affected

  • Apache Struts 2.0.0 to 2.3.16.1