Bug 1677721 (CVE-2019-3834)

Summary: CVE-2019-3834 JON: struts1 reversion of fix for CVE-2014-0114
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, grocha, krathod, loleary, rfreire, security-response-team, sparks, spinder, theute
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: struts 1.3.10_1 Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-16 20:36:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1677716, 1678115, 1678116, 1678117, 1678118, 1678119    

Description Chess Hazlett 2019-02-15 17:12:20 UTC
JON had resolved struts1 flaw CVE-2014-0114 with https://rhn.redhat.com/errata/RHSA-2014-0511.html, but reverted the fix in a later release.

Comment 7 Chess Hazlett 2019-05-16 20:37:36 UTC
Statement:

While the original flaw, CVE-2014-0114, was resolved as a precaution in JON 3.2.1, later further research revealed that JON did not expose the properties in an exploitable way, and was not vulnerable.