Bug 1677721 (CVE-2019-3834)

Summary:	CVE-2019-3834 JON: struts1 reversion of fix for CVE-2014-0114
Product:	[Other] Security Response	Reporter:	Chess Hazlett <chazlett>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	chazlett, grocha, krathod, loleary, rfreire, security-response-team, sparks, spinder, theute
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	struts 1.3.10_1	Doc Type:	If docs needed, set a value
Doc Text:	It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-05-16 20:36:17 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1677716, 1678115, 1678116, 1678117, 1678118, 1678119

Description Chess Hazlett 2019-02-15 17:12:20 UTC

JON had resolved struts1 flaw CVE-2014-0114 with https://rhn.redhat.com/errata/RHSA-2014-0511.html, but reverted the fix in a later release.

Comment 7 Chess Hazlett 2019-05-16 20:37:36 UTC

Statement:

While the original flaw, CVE-2014-0114, was resolved as a precaution in JON 3.2.1, later further research revealed that JON did not expose the properties in an exploitable way, and was not vulnerable.