exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Struts 1 ClassLoader Manipulation Update

Struts 1 ClassLoader Manipulation Update
Posted May 3, 2014
Authored by Rene Gielen | Site struts.apache.org

Apache Struts 1, now EOL'ed a year ago, suffers from a ClassLoader manipulation vulnerability similar to recent findings. Alvaro Munoz and the HP Fortify team have helped the Struts team come up with a recommendation for mitigation.

tags | advisory
advisories | CVE-2014-0114
SHA-256 | f9f8a680c7342a4ec7664f0833621f029bef66354e591a521ed9ce01dd951ae2

Struts 1 ClassLoader Manipulation Update

Change Mirror Download
As confirmed in our last announcement, the Apache Struts 1 framework in
all versions is affected by a ClassLoader manipulation vulnerability
(CVE-2014-0114) similar to a recently fixed vulnerability in Struts 2
(CVE-2014-0112, CVE-2014-0094) [1].

Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the
Apache Struts project team can recommend a first mitigation that is
relatively simple to apply. It involves the introduction of a generic
Servlet filter, adding the possibility to blacklist unacceptable request
parameters based on regular expressions. Please see the corresponding HP
Fortify blog entry [2] for detailed instructions.

The HP Fortify team also informed us that the vulnerability may be
exploited for Remote Code Execution (RCE) in certain environments. Based
on this information, the Apache Struts project team recommends to apply
the mitigation advice *immediately* for all Struts 1 based applications.

Struts 1 has had its End-Of-Life announcement more than one year ago
[3]. However, in a cross project effort the Struts team is looking for a
correction or an improved mitigation path. Please stay tuned for further
information regarding a solution.

This is a cross-list posting. If you have questions regarding this
report, please direct them to security@struts.apache.org only.

[1] http://struts.apache.org/release/2.3.x/docs/s2-021.html
[2]
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro
[3] http://struts.apache.org/struts1eol-announcement.html

--
René Gielen
http://twitter.com/rgielen
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close