[Japanese]
|
JVNDB-2014-000045
|
Apache Struts vulnerable to ClassLoader manipulation
|
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.
NTT-CERT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
Apache Software Foundation
- Apache Struts 2.0.0 to 2.3.16.1
MIRACLE LINUX CORPORATION
- Asianux Server 3 for x86(32bit)
- Asianux Server 3 for x86_64(64bit)
FUJITSU
- FUJITSU Integrated System HA Database Ready
- Interstage Business Analytics Modeling Server
- Interstage Business Process Manager Analytics
- Interstage Mobile Manager
- Interstage eXtreme Transaction Processing Server
- Interstage Application Development Cycle Manager
- Interstage Application Framework Suite
- Interstage Application Server
- Interstage Apworks
- Interstage Business Application Server
- Interstage Interaction Manager
- Interstage Job Workload Server
- Interstage Service Integrator
- Interstage Studio
- ServerView Resource Orchestrator
- Symfoware Analytics Server
- Symfoware Server
- Systemwalker Service Catalog Manager
- Systemwalker Service Quality Coordinator
- Systemwalker Software Configuration Manager
- TRIOLE CloudMiddleSet B set
- Cloud Infrastructure Management Software
|
It is reported that Apache Struts 1.x which has reached to its End-Of-Life (EOL) contains a similar vulnerability.
|
On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.
|
[Update the Software]
On 2014 April 25, Apache Struts 2.3.16.2 which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.
[Apply a Workaround]
If Apache Struts 2.3.16.2 cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.
* If there is a customized reference to the params interceptor, then properly configure excludeParams
* If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured
|
Apache Software Foundation
Huawei
IBM Corporation
- IBM Support Document : 1680848
- IBM Support Document : 1681190 (in Japanese)
VMware
Oracle Corporation
Trend Micro, Inc.
MIRACLE LINUX CORPORATION
Red Hat, Inc.
NEC Corporation
- NEC Security Information : NV15-001 (in Japanese)
FUJITSU
|
- No Mapping(CWE-DesignError) [IPA Evaluation]
|
- CVE-2014-0094
- CVE-2014-0112
|
- JVN : JVN#19294237
- National Vulnerability Database (NVD) : CVE-2014-0094
- National Vulnerability Database (NVD) : CVE-2014-0112
- IPA SECURITY ALERTS : [Updated] Security Alert for Vulnerability in the "Apache Struts2" (CVE-2014-0094)(S2-020) (in Japanese)
- US-CERT Vulnerability Note : VU#719225
- Related document : Ver 7.3.0.0 - Whatfs New?
|
- [2014/04/25]
Web page was published
[2014/04/25]
Solution was modified
[2014/04/28]
Solution was modified
Vendor Information : Contents were added
[2014/05/01]
Affected Products was modified
Vendor Information : Content was added
References : Contents were added
[2014/05/20]
Affected Products was modified
Vendor Information : Content was added
[2014/05/29]
Vendor Information : Content was added
[2014/06/03]
Vendor Information : Content was added
[2014/06/16]
Affected Products was modified
Vendor Information : Content was added
[2014/06/23]
Vendor Information : Content was added
[2014/07/01]
Vendor Information : Contents were added
[2014/08/06]
Vendor Information : Content was added
[2014/11/18]
Vendor Information : Contents were added
[2015/01/21]
Vendor Information : Content was added
[2015/04/20]
Vendor Information : Contents were added
[2015/05/08]
References : Content was added
|