Summary
Excerpt |
---|
Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude Improves excluded params in ParametersInterceptor (and CookieInterceptor to avoid ClassLoader manipulation) |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | DoS attacks and ClassLoader manipulation |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.16.12 |
Affected Software | Struts 2.0.0 - Struts 2.3.16.1 |
Reporter | Peter Magnusson (peter.magnusson at omegapoint.se), Przemysław Celej (p-celej at o2.pl)Taki Uchiyama (JPCERT/CC), Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), Yoshiyuki Karezaki, BAKA/ty, Shine (1983059165 at qq.com), NSFOCUS Security Team |
CVE Identifier | CVE-2014-0050 (DoS), -0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor CVE-2014-0113 - 0094 (ClassLoader manipulation )via CookieInterceptor when configured to accept all cookies |
Problem
The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.
...