Executive Summary

Informations
Name MDVSA-2014:095 First vendor Publication 2014-05-16
Vendor Mandriva Last vendor Modification 2014-05-16
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Updated struts packages fix security vulnerability:

It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions (CVE-2014-0114).

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:095

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24735
 
Oval ID: oval:org.mitre.oval:def:24735
Title: RHSA-2014:0474: struts security update (Important)
Description: Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0474-00
CESA-2014:0474
CVE-2014-0114
 Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): struts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24833
 
Oval ID: oval:org.mitre.oval:def:24833
Title: DSA-2940-1 libstruts1.2-java - security update
Description: The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.
Family: unix Class: patch
Reference(s): DSA-2940-1
CVE-2014-0114
 Version: 3
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
 Product(s): libstruts1.2-java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24939
 
Oval ID: oval:org.mitre.oval:def:24939
Title: ELSA-2014:0474: struts security update (Important)
Description: Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0474-00
CVE-2014-0114
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): struts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26392
 
Oval ID: oval:org.mitre.oval:def:26392
Title: DEPRECATED: ELSA-2014-0474 -- struts security update (important)
Description: [1.2.9-4jpp.7] - Resolves: rhbz#1092457 - CVE-2014-0114: Fixed ClassLoader manipulation vulnerability - Added dist tag to release
Family: unix Class: patch
Reference(s): ELSA-2014-0474
CVE-2014-0114
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): struts
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 17

Snort® IPS/IDS

Date Description
2014-05-25 Apache Struts ParametersInterceptor classloader access attempt
RuleID : 30792 - Revision : 6 - Type : SERVER-APACHE
2014-05-25 Apache Struts ParametersInterceptor classloader access attempt
RuleID : 30790 - Revision : 6 - Type : SERVER-APACHE

Nessus® Vulnerability Scanner

Date Description
2018-08-30 Name : A web application running on the remote host is affected by multiple vulnerab...
File : activemq_5_15_5.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201607-09.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-57.nasl - Type : ACT_GATHER_INFO
2014-12-03 Name : The remote Windows host has web portal software installed that is affected by...
File : websphere_portal_7_0_0_2_cf29.nasl - Type : ACT_GATHER_INFO
2014-11-12 Name : The remote Windows host has web portal software installed that is affected by...
File : websphere_portal_8_5_0_0_cf02.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0500.nasl - Type : ACT_GATHER_INFO
2014-10-30 Name : The remote host is affected by multiple vulnerabilities.
File : oracle_edq_oct_2014_cpu.nasl - Type : ACT_GATHER_INFO
2014-10-28 Name : The remote host is affected by a remote code execution vulnerability.
File : oracle_oaam_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO
2014-10-17 Name : The remote host has an application installed that is affected by multiple vul...
File : oracle_identity_management_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO
2014-09-17 Name : The remote host has a virtualization management application installed that is...
File : vmware_vcenter_vmsa-2014-0008.nasl - Type : ACT_GATHER_INFO
2014-09-11 Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2014-0008.nasl - Type : ACT_GATHER_INFO
2014-09-05 Name : The remote Windows host has web portal software installed that is affected by...
File : websphere_portal_cve-2014-0114.nasl - Type : ACT_GATHER_INFO
2014-08-23 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9380.nasl - Type : ACT_GATHER_INFO
2014-08-22 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2940.nasl - Type : ACT_GATHER_INFO
2014-08-01 Name : The remote application server is affected by multiple vulnerabilities.
File : websphere_7_0_0_33.nasl - Type : ACT_GATHER_INFO
2014-05-19 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-095.nasl - Type : ACT_GATHER_INFO
2014-05-09 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0474.nasl - Type : ACT_GATHER_INFO
2014-05-09 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0474.nasl - Type : ACT_GATHER_INFO
2014-05-08 Name : The remote web server contains a web application that uses a Java framework t...
File : struts_classloader_manipulation.nasl - Type : ACT_DENIAL
2014-05-08 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140507_struts_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-05-07 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0474.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-05-20 13:23:33
  • Multiple Updates
2014-05-16 17:21:16
  • First insertion