Bug 1091938 (CVE-2014-0114)
Summary: | CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | asantos, ataylor, carnil, chazlett, cperry, dbhole, djorm, dwalluck, fnasser, ganandan, grocha, hfnukal, jochrist, jrusnack, kfujii, lgao, mmiura, myamazak, myarboro, omajid, pcheung, puntogil, rhq-maint, security-response-team, spinder, taw, theute, tkonishi, weli, ykawada, ykinoshi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/ENTMQBR-2849 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-05-16 13:17:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1092452, 1092453, 1092454, 1092455, 1092456, 1092457, 1092458 | ||
Bug Blocks: | 1091768, 1092459, 1092461, 1093611, 1093886, 1585921 |
Description
Arun Babu Neelicattu
2014-04-28 11:01:53 UTC
Upstream reports/references mentioning struts 1.x impact: http://www.lac.co.jp/security/alert/2014/04/24_alert_01.html http://www.nca.gr.jp/2014/struts_s20/index.html http://qiita.com/kawasima/items/670d2591bc8fea19dc1d Upstream announcement regarding vulnerability and mitigation: http://mail-archives.apache.org/mod_mbox/struts-user/201405.mbox/%3C53629980.8060805%40apache.org%3E Created struts tracking bugs for this issue: Affects: fedora-all [bug 1092452] Statement: This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0474 https://rhn.redhat.com/errata/RHSA-2014-0474.html This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 R1 P4 Via RHSA-2014:0498 https://rhn.redhat.com/errata/RHSA-2014-0498.html This issue has been addressed in following products: Red Hat JBoss Fuse 6.1.0 Patch 1 Via RHSA-2014:0497 https://rhn.redhat.com/errata/RHSA-2014-0497.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Red Hat Network Satellite Server v 5.5 Red Hat Satellite Server v 5.6 Via RHSA-2014:0500 https://rhn.redhat.com/errata/RHSA-2014-0500.html This issue has been addressed in following products: Red Hat JBoss Operations Network 3.2.1 Via RHSA-2014:0511 https://rhn.redhat.com/errata/RHSA-2014-0511.html struts-1.3.10-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Upstream Fix: (proposed for struts 1.3.x) https://github.com/apache/struts1/pull/1 Mitigation: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669 This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2019:2995 https://access.redhat.com/errata/RHSA-2019:2995 (In reply to Arun Babu Neelicattu from comment #37) > Upstream Fix: > > (proposed for struts 1.3.x) https://github.com/apache/struts1/pull/1 This fix has never been applied upstream. Instead, the following fix was applied: http://svn.apache.org/viewvc?view=revision&revision=1603883 This change depends on commons-beanutils 1.9.2, which introduced SuppressPropertiesBeanIntrospector class that can be used to block the use of specified bean properties. Relevant commons-beanutils upstream links: https://commons.apache.org/proper/commons-beanutils/changes-report.html#a1.9.2 https://issues.apache.org/jira/browse/BEANUTILS-463 https://gitbox.apache.org/repos/asf?p=commons-beanutils.git;a=commitdiff;h=4e410e068b8d367c53766a7da712b1b6f3fd8101 https://gitbox.apache.org/repos/asf?p=commons-beanutils.git;a=commitdiff;h=2412c90ba5584fed123fa6a33e752e6c8eaf74e9 https://gitbox.apache.org/repos/asf?p=commons-beanutils.git;a=commitdiff;h=f3bdbbcfb853d81941f3cec84e5108779ab8d269 https://gitbox.apache.org/repos/asf?p=commons-beanutils.git;a=commitdiff;h=f3bdbbcfb853d81941f3cec84e5108779ab8d269 Note that commons-beanutils 1.9.2 does not fix the CVE-2014-0114 issue by itself. It only adds functionality that can be used by applications to easily block the use of getClass() method to access class property, but it still requires any affected application to be modified as the protection is not enabled by default. That was a deliberate upstream decision to not prevent the use of getClass() by default. However, that upstream decision was changed in commons-beanutils version 1.9.4 that started to block access to the class property by default: https://commons.apache.org/proper/commons-beanutils/changes-report.html#a1.9.4 https://issues.apache.org/jira/browse/BEANUTILS-520 https://gitbox.apache.org/repos/asf?p=commons-beanutils.git;a=commitdiff;h=62e82ad92cf4818709d6044aaf257b73d42659a4 https://gitbox.apache.org/repos/asf?p=commons-beanutils.git;a=commitdiff;h=3f7f276dd720b7b95ed59387d9ac4561b2acc20b This additional change got a separate CVE-2019-10086, see bug 1767483. |