Bug 1091938 - (CVE-2014-0114) CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140429,repo...
: Security
Depends On: 1092452 1092453 1092454 1092455 1092456 1092457 1092458
Blocks: 1091768 1092459 1092461 1093611 1093886
  Show dependency treegraph
 
Reported: 2014-04-28 07:01 EDT by Arun Babu Neelicattu
Modified: 2015-02-15 16:53 EST (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-16 09:17:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Arun Babu Neelicattu 2014-04-28 07:01:53 EDT
It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

The root cause of this issue is the fact that commons-beanutils exposes the class property by default, with no mechanism to disable access to it. If a framework built on commons-beanutils does not otherwise suppress access to the class property, then a remote attacker could use this flaw to manipulate the ClassLoader used by the underlying container. This could lead to remote code execution under certain conditions. commons-beanutils 1.9.2 has now shipped, including a specialized BeanIntrospector implementation that allows suppressing properties. Frameworks built on commons-beantutils can make use of the new pre-configured SuppressPropertiesBeanIntrospector to address this flaw.
Comment 10 Arun Babu Neelicattu 2014-04-29 07:14:56 EDT
Created struts tracking bugs for this issue:

Affects: fedora-all [bug 1092452]
Comment 20 David Jorm 2014-05-02 03:06:29 EDT
Statement:

This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353
Comment 31 errata-xmlrpc 2014-05-07 00:58:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0474 https://rhn.redhat.com/errata/RHSA-2014-0474.html
Comment 32 errata-xmlrpc 2014-05-14 14:07:05 EDT
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0 R1 P4

Via RHSA-2014:0498 https://rhn.redhat.com/errata/RHSA-2014-0498.html
Comment 33 errata-xmlrpc 2014-05-14 14:07:10 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0 Patch 1

Via RHSA-2014:0497 https://rhn.redhat.com/errata/RHSA-2014-0497.html
Comment 34 errata-xmlrpc 2014-05-14 15:07:54 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0500 https://rhn.redhat.com/errata/RHSA-2014-0500.html
Comment 35 errata-xmlrpc 2014-05-15 13:18:39 EDT
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.1

Via RHSA-2014:0511 https://rhn.redhat.com/errata/RHSA-2014-0511.html
Comment 36 Fedora Update System 2014-08-22 22:00:34 EDT
struts-1.3.10-10.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.