JVNDB-2014-000056

TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation

TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.

NTT DATA

• TERASOLUNA Server Framework for Java(Web) 2.0.0.1 to 2.0.5.1

On a server where the product in running, a remote attacker may steal information or execute arbitrary code.

[Update the Software]
Update to the latest version according to the information provided by the developer.

On 2014 May 23, TERASOLUNA Server Framework for Java(Web) 2.0.5.2, which contains Apache Struts 1.2.9 with SP1 by TERASOLUNA has been released.

Apache Software Foundation

• Apache : BEANUTILS-463
• Apache : Commons BeanUtils Package Version 1.9.2 Release Notes

IBM Corporation

• IBM Support Document : 1675523
• IBM Support Document : 1676303
• IBM Support Document : 1676375
• IBM Support Document : 1676931
• IBM Support Document : 1678621 (in Japanese)
• IBM Support Document : 1680848
• IBM Support Document : 1680194

Oracle Corporation

• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2014
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2014
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - January 2015
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices
• SECURITY BLOG : July 2014 Critical Patch Update Released
• SECURITY BLOG : October 2014 Critical Patch Update Released
• SECURITY BLOG : January 2015 Critical Patch Update Released

Red Hat, Inc.

• Red Hat : Does CVE-2014-0114 affect Struts 1 in Red Hat products?
• Red Hat Bugzilla : Bug 1091938
• Red Hat Bugzilla : Bug 1116665

NTT DATA

• NTT DATA Corporation : NTT DATA Corporation website
• SourceForge : TERASOLUNA Framework
• SourceForge : Apache Struts 1.2.9 with SP1 by NTT DATA

Hitachi, Ltd

• Hitachi Software Vulnerability Information : HS14-018
• Hitachi Software Vulnerability Information : HS14-020

FUJITSU

• FUJITSU Security Information : Interstage Navigator Explorer Server: vulnerability in Struts (CVE-2014-0114) (in Japanese)
• FUJITSU Security Information : Impact of CVE-2014-0094 / CVE-2014-0114 (in Japanese)
• FUJITSU Security Information : Interstage Business Application Server, Interstage Application Server, Interstage Apworks, Interstage Studio, Interstage Application Framework Suite, Interstage Job Workload Server, Interstage Service Integrator: vulnerability in Struts (CVE-2014-0114) (in Japanese)

1. No Mapping(CWE-DesignError) [IPA Evaluation]

1. CVE-2014-0114

1. JVN : JVN#30962312
2. JVN iPedia : JVNDB-2014-002308 (in Japanese)
3. National Vulnerability Database (NVD) : CVE-2014-0114

• [2014/06/17]
    Web page was published
  [2014/07/09]
    Vendor Information : Content was added
  [2014/07/14]
    Vendor Information : Content was added
  [2014/07/22]
    Vendor Information : Contents were added
  [2014/07/23]
    Vendor Information : Content was added
  [2014/08/06]
    Vendor Information : Content was added
  [2014/08/12]
    Vendor Information : Content was added
  [2014/09/02]
    Vendor Information : Contents were added
  [2014/10/21]
    Vendor Information : Contents were added
  [2015/01/22]
    Vendor Information : Contents were added