...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | ClassLoader manipulation |
Maximum security rating | High |
Recommendation | Developers should immediately upgrade to Struts 2.3.16.2 |
Affected Software | Struts 2.0.0 - Struts 2.3.16.1 |
Reporter | Taki Uchiyama (JPCERT/CC), |
CVE Identifier | CVE-2014-0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor CVE-2014-0113 - ClassLoader manipulation via CookieInterceptor when configured to accept all cookies |
Problem
The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulationIntroduced in version 2.3.16.1 excluded param to block access to getClass() method wasn't sufficient, it's possible to omit that with specially crafted request. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName
param).
Solution
In Struts 2.3.16.1, Commons FileUpload was updated to version 1.3.1 and 2 improved "class" pattern was added to excludeParams in struts-default.xml configuration of ParametersInterceptorintroduced directly to ParametersInterceptor and CookieInterceptor.
Backward compatibility
No backward compatibility problems are expected.
...
If you cannot upgrade to version 2.3.16.1 2 which is strongly advised, you can apply below workarounds:
Upgrade commons-fileupload
The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the updated jar. For Maven
based Struts 2 projects, the following dependency needs to be added:
Code Block |
---|
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency> |
Exclude 'class' parameter
Exclude 'class' parameter
Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the Simple add '^class\.*' to the list of excludeParams as below
Code Block |
---|
<interceptor-ref name="params"> <param name="excludeParams">^class\.">(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> </interceptor-ref> |
It isn't possible to do the same with CookieInterceptor, so don't use wildcard mapping to accept cookie names.