Apache Struts vulnerable to ClassLoader manipulation


Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.

NTT-CERT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Apache Software Foundation
  • Apache Struts 2.0.0 to
  • Asianux Server 3 for x86(32bit)
  • Asianux Server 3 for x86_64(64bit)
  • FUJITSU Integrated System HA Database Ready
  • Interstage Business Analytics Modeling Server
  • Interstage Business Process Manager Analytics
  • Interstage Mobile Manager
  • Interstage eXtreme Transaction Processing Server
  • Interstage Application Development Cycle Manager
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Apworks
  • Interstage Business Application Server
  • Interstage Interaction Manager
  • Interstage Job Workload Server
  • Interstage Service Integrator
  • Interstage Studio
  • ServerView Resource Orchestrator
  • Symfoware Analytics Server
  • Symfoware Server
  • Systemwalker Service Catalog Manager
  • Systemwalker Service Quality Coordinator
  • Systemwalker Software Configuration Manager
  • TRIOLE CloudMiddleSet B set
  • Cloud Infrastructure Management Software

It is reported that Apache Struts 1.x which has reached to its End-Of-Life (EOL) contains a similar vulnerability.

On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.

[Update the Software]
On 2014 April 25, Apache Struts which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.

[Apply a Workaround]
If Apache Struts cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.

* If there is a customized reference to the params interceptor, then properly configure excludeParams
* If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured
Vendor Information

Apache Software Foundation Huawei IBM Corporation
  • IBM Support Document : 1680848
  • IBM Support Document : 1681190 (in Japanese)
VMware Oracle Corporation Trend Micro, Inc. MIRACLE LINUX CORPORATION Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV15-001 (in Japanese)
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0094
  2. CVE-2014-0112

  1. JVN : JVN#19294237
  2. National Vulnerability Database (NVD) : CVE-2014-0094
  3. National Vulnerability Database (NVD) : CVE-2014-0112
  4. IPA SECURITY ALERTS : [Updated] Security Alert for Vulnerability in the "Apache Struts2" (CVE-2014-0094)(S2-020) (in Japanese)
  5. US-CERT Vulnerability Note : VU#719225
  6. Related document : Ver - Whatfs New?
Revision History

  • [2014/04/25]
      Web page was published
      Solution was modified
      Solution was modified
      Vendor Information : Contents were added
      Affected Products was modified
      Vendor Information : Content was added
      References : Contents were added
      Affected Products was modified
      Vendor Information : Content was added
      Vendor Information : Content was added
      Vendor Information : Content was added
      Affected Products was modified
      Vendor Information : Content was added
      Vendor Information : Content was added
      Vendor Information : Contents were added
      Vendor Information : Content was added
      Vendor Information : Contents were added
      Vendor Information : Content was added
      Vendor Information : Contents were added
      References : Content was added