[Japanese]

JVNDB-2014-000056

TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation

Overview

TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.
CVSS Severity (What is CVSS?)

Base Metrics: 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


NTT DATA
  • TERASOLUNA Server Framework for Java(Web) 2.0.0.1 to 2.0.5.1

Impact

On a server where the product in running, a remote attacker may steal information or execute arbitrary code.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

On 2014 May 23, TERASOLUNA Server Framework for Java(Web) 2.0.5.2, which contains Apache Struts 1.2.9 with SP1 by TERASOLUNA has been released.
Vendor Information

Apache Software Foundation IBM Corporation Oracle Corporation Red Hat, Inc. NTT DATA Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS14-018
  • Hitachi Software Vulnerability Information : HS14-020
FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0114
References

  1. JVN : JVN#30962312
  2. JVN iPedia : JVNDB-2014-002308 (in Japanese)
  3. National Vulnerability Database (NVD) : CVE-2014-0114
Revision History

[2014/06/17]
  Web page was published
[2014/07/09]
  Vendor Information : Content was added
[2014/07/14]
  Vendor Information : Content was added
[2014/07/22]
  Vendor Information : Contents were added
[2014/07/23]
  Vendor Information : Content was added
[2014/08/06]
  Vendor Information : Content was added
[2014/08/12]
  Vendor Information : Content was added
[2014/09/02]
  Vendor Information : Contents were added
[2014/10/21]
  Vendor Information : Contents were added
[2015/01/22]
  Vendor Information : Contents were added