[ANN][SECURITY] Struts 1 - CVE-2014-0114 -Mitigation Advice Available, Possible RCE Impact


As confirmed in our last announcement, the Apache Struts 1 framework in all versions is affected by a ClassLoader manipulation vulnerability (CVE-2014-0114) similar to a recently fixed vulnerability in Struts 2 (CVE-2014-0112, CVE-2014-0094) [1]. Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the Apache Struts project team can recommend a first mitigation that is relatively simple to apply. It involves the introduction of a generic Servlet filter, adding the possibility to blacklist unacceptable request parameters based on regular expressions. Please see the corresponding HP Fortify blog entry [2] for detailed instructions. The HP Fortify team also informed us that the vulnerability may be exploited for Remote Code Execution (RCE) in certain environments. Based on this information, the Apache Struts project team recommends to apply the mitigation advice *immediately* for all Struts 1 based applications. Struts 1 has had its End-Of-Life announcement more than one year ago [3]. However, in a cross project effort the Struts team is looking for a correction or an improved mitigation path. Please stay tuned for further information regarding a solution. This is a cross-list posting. If you have questions regarding this report, please direct them to security@struts.apache.org only. [1] http://struts.apache.org/release/2.3.x/docs/s2-021.html [2] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro [3] http://struts.apache.org/struts1eol-announcement.html -- Rene Gielen http://twitter.com/rgielen