[Japanese]

JVNDB-2014-000045

Apache Struts vulnerable to ClassLoader manipulation

Overview

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.

NTT-CERT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Apache Software Foundation
  • Apache Struts 2.0.0 to 2.3.16.1
MIRACLE LINUX CORPORATION
  • Asianux Server 3 for x86(32bit)
  • Asianux Server 3 for x86_64(64bit)
FUJITSU
  • FUJITSU Integrated System HA Database Ready
  • Interstage Business Analytics Modeling Server
  • Interstage Business Process Manager Analytics
  • Interstage Mobile Manager
  • Interstage eXtreme Transaction Processing Server
  • Interstage Application Development Cycle Manager
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Apworks
  • Interstage Business Application Server
  • Interstage Interaction Manager
  • Interstage Job Workload Server
  • Interstage Service Integrator
  • Interstage Studio
  • ServerView Resource Orchestrator
  • Symfoware Analytics Server
  • Symfoware Server
  • Systemwalker Service Catalog Manager
  • Systemwalker Service Quality Coordinator
  • Systemwalker Software Configuration Manager
  • TRIOLE CloudMiddleSet B set
  • Cloud Infrastructure Management Software

It is reported that Apache Struts 1.x which has reached to its End-Of-Life (EOL) contains a similar vulnerability.
Impact

On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.
Solution

[Update the Software]
On 2014 April 25, Apache Struts 2.3.16.2 which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.

[Apply a Workaround]
If Apache Struts 2.3.16.2 cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.

* If there is a customized reference to the params interceptor, then properly configure excludeParams
* If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured
Vendor Information

Apache Software Foundation Huawei IBM Corporation
  • IBM Support Document : 1680848
  • IBM Support Document : 1681190 (in Japanese)
VMware Oracle Corporation Trend Micro, Inc. MIRACLE LINUX CORPORATION Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV15-001 (in Japanese)
FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0094
  2. CVE-2014-0112
References

  1. JVN : JVN#19294237
  2. National Vulnerability Database (NVD) : CVE-2014-0094
  3. National Vulnerability Database (NVD) : CVE-2014-0112
  4. IPA SECURITY ALERTS : [Updated] Security Alert for Vulnerability in the "Apache Struts2" (CVE-2014-0094)(S2-020) (in Japanese)
  5. US-CERT Vulnerability Note : VU#719225
  6. Related document : Ver 7.3.0.0 - Whatfs New?
Revision History

[2014/04/25]
  Web page was published
[2014/04/25]
  Solution was modified
[2014/04/28]
  Solution was modified
  Vendor Information : Contents were added
[2014/05/01]
  Affected Products was modified
  Vendor Information : Content was added
  References : Contents were added
[2014/05/20]
  Affected Products was modified
  Vendor Information : Content was added
[2014/05/29]
  Vendor Information : Content was added
[2014/06/03]
  Vendor Information : Content was added
[2014/06/16]
  Affected Products was modified
  Vendor Information : Content was added
[2014/06/23]
  Vendor Information : Content was added
[2014/07/01]
  Vendor Information : Contents were added
[2014/08/06]
  Vendor Information : Content was added
[2014/11/18]
  Vendor Information : Contents were added
[2015/01/21]
  Vendor Information : Content was added
[2015/04/20]
  Vendor Information : Contents were added
[2015/05/08]
  References : Content was added