(RHSA-2014:0474) Important: struts security update

2014-05-07T04:00:00
ID RHSA-2014:0474
Type redhat
Reporter RedHat
Modified 2017-09-08T11:48:35

Description

Apache Struts is a framework for building web applications with Java.

It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114)

All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.