21-04-2021

Struts 1 Classloader Vulnerability



Overview

Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters

Classloader vulnerability reproducing procedure in struts 1.1 Question: In Struts1, I heard that there is a classloader vulnerability issue which is cause by CVE-2014-0114. But I am unable to reproduce this respect to my project. Can anyone help me how to reproduce this issue. I googled but not get any procedure of reproducing. The version of Struts in use contains a flaw that allows the manipulation of the ClassLoader via the 'class' parameter of an ActionForm object that results a denial of service. Note that this vulnerability may be exploited to execute arbitrary remote code in certain application servers with specific configurations; however, Nessus has not.

Description

Struts 1 Classloader Vulnerability Module

Apache Struts2 2.3.16.1 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters. This vulnerability was previously attempted to be addressed in S2-020 ClassLoader manipulation via request parameters. Unfortunately, the correction wasn't sufficient.

Struts2 provides a mapping between Web parameters and Java methods. So an attacker could invoke a specific method on a remote Java server by specifying it in a URL. All Java objects have a getClass() method, which returns the object's Class (this object represents classes). Every Class has a ClassLoader, which is the class that loaded the initial class; an attacker could access the ClassLoader using the Class.getClassLoader() method.

Impact

An unauthenticated attacker could manipulate the ClassLoader into disclosing private Class information or possibly load a malicious class file.

Solution

Update
The Apache Struts group has released Struts 2.3.16.2 as a 'General Availability' release to address this vulnerability. The Apache Struts group is advising all developers to update.

Classloader

The vendor has stated the following workaround:
A security fix release fully addressing this issue is in preparation and will be released as soon as possible.
Once the release is available, all Struts2 users are strongly recommended to update their installations.
In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern found at the beginning of the excludeParams list:
<interceptor-ref name='params'>
<param name='excludeParams'>(.*.|^|.*|[('|'))(c|C)lass(.|('|')]|[).*,^dojo..*,^struts..*,^session..*,^request..*,^application..*,^servlet(Request|Response)..*,^parameters..*,^action:.*,^method:.*</param>
</interceptor-ref>
If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration as in the following example. Given you are using defaultStack so far, change your packages from
<package name='default' namespace='/' extends='struts-default'>
<default-interceptor-ref name='defaultStack' />
...
...
</package>
to
<package name='default' namespace='/' extends='struts-default'>
<interceptors>
<interceptor-stack name='secureDefaultStack'>
<interceptor-ref name='defaultStack'>
<param name='params.excludeParams'>(.*.|^|.*|[('|'))(c|C)lass(.|('|')]|[).*,^dojo..*,^struts..*,^session..*,^request..*,^application..*,^servlet(Request|Response)..*,^parameters..*,^action:.*,^method:.*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name='secureDefaultStack' />
...
</package>

Vendor Information

Struts 1 classloader vulnerability assessmentStruts 1 Classloader Vulnerability

Struts 1 Classloader Vulnerability Assessment

Javascript is disabled. Click here to view vendors.

Apache Struts Affected

Updated: April 25, 2014

Status

Affected

Vendor Statement

A security fix release fully addressing this issue is in preparation and will be released as soon as possible.

Once the release is available, all Struts 2 users are strongly recommended to update their installations.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

GroupScoreVector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.5 E:H/RL:OF/RC:C
Environmental 6.9 CDP:L/TD:H/CR:ND/IR:ND/AR:ND

Vulnerability

References

Acknowledgements

This vulnerability was publicly reported by Apache Struts2.

This document was written by Michael Orlando and David Svoboda.

Other Information

CVE IDs:CVE-2014-0094
Date Public:2014-04-24
Date First Published:2014-04-25
Date Last Updated: 2014-07-24 21:53 UTC
Document Revision: 14

Newsletter

Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Infosec Insider Post

Struts 1 Classloader Vulnerability

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.