Executive Summary

Summary
Title Apache Struts2 ClassLoader allows access to class properties via request parameters
Informations
Name VU#719225 First vendor Publication 2014-04-25
Vendor VU-CERT Last vendor Modification 2014-04-28
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#719225

Apache Struts2 ClassLoader allows access to class properties via request parameters

Original Release date: 25 Apr 2014 | Last revised: 28 Apr 2014

Overview

Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters

Description

Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters. This vulnerability was previously attempted to be addressed in S2-020 ClassLoader manipulation via request parameters. Unfortunately, the correction wasn't sufficient.

Struts2 provides a mapping between Web parameters and Java methods. So an attacker could invoke a specific method on a remote Java server by specifying it in a URL. All Java objects have a getClass() method, which returns the object's Class (this object represents classes). Every Class has a ClassLoader, which is the class that loaded the initial class; an attacker could access the ClassLoader using the Class.getClassLoader() method.

Impact

An unauthenticated attacker could manipulate the ClassLoader into disclosing private Class information or possibly load a malicious class file.

Solution

Update

The Apache Struts group has released Struts 2.3.16.2 as a "General Availability" release to address this vulnerability. The Apache Struts group is advising all developers to update.

The vendor has stated the following workaround:

A security fix release fully addressing this issue is in preparation and will be released as soon as possible.

Once the release is available, all Struts2 users are strongly recommended to update their installations.


In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern found at the beginning of the excludeParams list:

<interceptor-ref name="params">
  <param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>

If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration as in the following example. Given you are using defaultStack so far, change your packages from

<package name="default" namespace="/" extends="struts-default">
   <default-interceptor-ref name="defaultStack" />
   ...
   ...
</package>


to

<package name="default" namespace="/" extends="struts-default">
   <interceptors>
       <interceptor-stack name="secureDefaultStack">
           <interceptor-ref name="defaultStack">
               <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
           </interceptor-ref>
       </interceptor-stack>
   </interceptors>

   <default-interceptor-ref name="secureDefaultStack" />
   ...
</package>

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Apache StrutsAffected-25 Apr 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.0AV:N/AC:L/Au:N/C:P/I:--/A:--
Temporal4.3E:POC/RL:W/RC:C
Environmental3.2CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://struts.apache.org/announce.html#a20140424
  • http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/

Credit

This vulnerability was publicly reported by Apache Struts2.

This document was written by Michael Orlando and David Svoboda.

Other Information

  • CVE IDs:CVE-2014-0094
  • Date Public:24 Apr 2014
  • Date First Published:25 Apr 2014
  • Date Last Updated:28 Apr 2014
  • Document Revision:11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/719225

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 86

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-06-25 IAVM : 2015-B-0083 - Multiple Vulnerabilities in IBM Storwize V7000 Unified
Severity : Category I - VMSKEY : V0060983
2014-07-03 IAVM : 2014-B-0090 - Multiple Vulnerabilities in VMware vCenter Operations
Severity : Category I - VMSKEY : V0052895

Snort® IPS/IDS

Date Description
2014-05-25 Apache Struts ParametersInterceptor classloader access attempt
RuleID : 30792 - Revision : 6 - Type : SERVER-APACHE
2014-05-25 Apache Struts ParametersInterceptor classloader access attempt
RuleID : 30790 - Revision : 6 - Type : SERVER-APACHE

Nessus® Vulnerability Scanner

Date Description
2015-06-26 Name : The remote IBM Storwize device is affected by multiple vulnerabilities.
File : ibm_storwize_1_5_0_2.nasl - Type : ACT_GATHER_INFO
2015-05-08 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_2_3_17.nasl - Type : ACT_GATHER_INFO
2015-05-08 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_3_0_11.nasl - Type : ACT_GATHER_INFO
2015-01-30 Name : The remote web server contains a web application that uses a Java framework t...
File : struts_2_3_16_1_win_local.nasl - Type : ACT_GATHER_INFO
2014-07-07 Name : The remote host has a virtualization appliance installed that is affected by ...
File : vcenter_operations_manager_vmsa_2014-0007.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote web server contains a web application that uses a Java framework t...
File : struts_2_3_16_2_dos.nasl - Type : ACT_DENIAL
2014-03-26 Name : The remote web server contains a web application that uses a Java framework t...
File : struts_2_3_16_1_classloader_manipulation.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2015-06-27 13:28:58
  • Multiple Updates
2015-05-09 13:27:33
  • Multiple Updates
2015-01-31 13:23:14
  • Multiple Updates
2014-05-01 13:24:45
  • Multiple Updates
2014-04-30 13:21:31
  • Multiple Updates
2014-04-28 21:20:10
  • Multiple Updates
2014-04-25 21:24:19
  • First insertion