Bug 1677721 (CVE-2019-3834) - CVE-2019-3834 JON: struts1 reversion of fix for CVE-2014-0114
Summary: CVE-2019-3834 JON: struts1 reversion of fix for CVE-2014-0114
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-3834
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1677716 1678115 1678116 1678117 1678118 1678119
TreeView+ depends on / blocked
 
Reported: 2019-02-15 17:12 UTC by Chess Hazlett
Modified: 2019-10-03 16:10 UTC (History)
9 users (show)

Fixed In Version: struts 1.3.10_1
Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3.
Clone Of:
Environment:
Last Closed: 2019-05-16 20:36:17 UTC


Attachments (Terms of Use)

Description Chess Hazlett 2019-02-15 17:12:20 UTC
JON had resolved struts1 flaw CVE-2014-0114 with https://rhn.redhat.com/errata/RHSA-2014-0511.html, but reverted the fix in a later release.

Comment 7 Chess Hazlett 2019-05-16 20:37:36 UTC
Statement:

While the original flaw, CVE-2014-0114, was resolved as a precaution in JON 3.2.1, later further research revealed that JON did not expose the properties in an exploitable way, and was not vulnerable.


Note You need to log in before you can comment on or make changes to this bug.