JVNDB-2014-000045

Apache Struts vulnerable to ClassLoader manipulation

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated.

NTT-CERT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Apache Software Foundation

• Apache Struts 2.0.0 to 2.3.16.1

MIRACLE LINUX CORPORATION

• Asianux Server 3 for x86(32bit)
• Asianux Server 3 for x86_64(64bit)

FUJITSU

• FUJITSU Integrated System HA Database Ready
• Interstage Business Analytics Modeling Server
• Interstage Business Process Manager Analytics
• Interstage Mobile Manager
• Interstage eXtreme Transaction Processing Server
• Interstage Application Development Cycle Manager
• Interstage Application Framework Suite
• Interstage Application Server
• Interstage Apworks
• Interstage Business Application Server
• Interstage Interaction Manager
• Interstage Job Workload Server
• Interstage Service Integrator
• Interstage Studio
• ServerView Resource Orchestrator
• Symfoware Analytics Server
• Symfoware Server
• Systemwalker Service Catalog Manager
• Systemwalker Service Quality Coordinator
• Systemwalker Software Configuration Manager
• TRIOLE CloudMiddleSet B set
• Cloud Infrastructure Management Software

It is reported that Apache Struts 1.x which has reached to its End-Of-Life (EOL) contains a similar vulnerability.

On a server where Apache Struts in running, a remote attacker may steal information or execute arbitrary code.

[Update the Software]
On 2014 April 25, Apache Struts 2.3.16.2 which contains a fix for this vulnerability has been released.
Upgrade the software according to the information provided by the developer.

[Apply a Workaround]
If Apache Struts 2.3.16.2 cannot be applied immediately, apply the following workaround which enables to mitigate the affects of this vulnerability.

* If there is a customized reference to the params interceptor, then properly configure excludeParams
* If the defaultStack is being used, then change the stack that is being used to one where excludeParams is properly configured

Apache Software Foundation

• Apache Struts : Announcements - 2013 24 April 2014 - Struts up to 2.3.16.1: Zero-Day Exploit Mitigation
• Apache Struts : Security Bulletins S2-020
• Apache Struts : Security Bulletins S2-021
• Apache Struts : Download a Release of Apache Struts -- Full Releases Struts 2.3.16.2

Huawei

• Security Advisory : Huawei-SA-20140707-01-Struts2

IBM Corporation

• IBM Support Document : 1680848
• IBM Support Document : 1681190 (in Japanese)

VMware

• Knowledge Base : 2081470
• VMware Security Advisories : VMSA-2014-0007

Oracle Corporation

• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - April 2015
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices
• SECURITY BLOG : April 2015 Critical Patch Update Released

Trend Micro, Inc.

• Trend Micro : Alert/Advisory: Multiple Vulnerabilities in Apache Struts on Trend Micro Products (in Japanese)

MIRACLE LINUX CORPORATION

• Asianux Technical Support Network : struts-1.2.9-4jpp.8.AXS3 (in Japanese)

Red Hat, Inc.

• Red Hat Bugzilla : Bug 1091939

NEC Corporation

• NEC Security Information : NV15-001 (in Japanese)

FUJITSU

• FUJITSU Security Information : Interstage Application Development Cycle Manager(ADM): Apache Struts vulnerable (CVE-2014-0094) (in Japanese)
• FUJITSU Security Information : CVE-2014-0094, CVE-2014-0114: Apache Struts vulnerable to ClassLoader manipulation
• FUJITSU Security Information : Interstage Business Process Manager Analytics, Systemwalker Service Quality Coordinator: Vulnerability of allowing attackers to "manipulate" the ClassLoader (CVE-2014-0094). May 20th, 2014
• FUJITSU Security Information : Symfoware Server (Open Interface) : Security vulnerabilities of Struts (CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116) (in Japanese)
• FUJITSU Security Information : Interstage Interaction Manager: Struts1 vulnerability (CVE-2014-0094) (in Japanese)
• FUJITSU Security Information : Interstage Mobile Manager: Struts1 vulnerability (CVE-2014-0094) (in Japanese)
• FUJITSU Security Information : FUJITSU Integrated System HA Database Ready: Struts2 vulnerabilities (CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0116) (in Japanese)

1. No Mapping(CWE-DesignError) [IPA Evaluation]

1. CVE-2014-0094
2. CVE-2014-0112

1. JVN : JVN#19294237
2. National Vulnerability Database (NVD) : CVE-2014-0094
3. National Vulnerability Database (NVD) : CVE-2014-0112
4. IPA SECURITY ALERTS : [Updated] Security Alert for Vulnerability in the "Apache Struts2" (CVE-2014-0094)(S2-020) (in Japanese)
5. US-CERT Vulnerability Note : VU#719225
6. Related document : Ver 7.3.0.0 - What�fs New?

• [2014/04/25]
    Web page was published
  [2014/04/25]
    Solution was modified
  [2014/04/28]
    Solution was modified
    Vendor Information : Contents were added
  [2014/05/01]
    Affected Products was modified
    Vendor Information : Content was added
    References : Contents were added
  [2014/05/20]
    Affected Products was modified
    Vendor Information : Content was added
  [2014/05/29]
    Vendor Information : Content was added
  [2014/06/03]
    Vendor Information : Content was added
  [2014/06/16]
    Affected Products was modified
    Vendor Information : Content was added
  [2014/06/23]
    Vendor Information : Content was added
  [2014/07/01]
    Vendor Information : Contents were added
  [2014/08/06]
    Vendor Information : Content was added
  [2014/11/18]
    Vendor Information : Contents were added
  [2015/01/21]
    Vendor Information : Content was added
  [2015/04/20]
    Vendor Information : Contents were added
  [2015/05/08]
    References : Content was added