...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | DoS attacks and ClassLoader manipulation |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.16.12 |
Affected Software | Struts 2.0.0 - Struts 2.3.16.1 |
Reporter | Mark Thomas (markt at apache.orgPeter Magnusson (peter.magnusson at omegapoint.se), Przemysław Celej (p-celej at o2.pl) |
CVE Identifier | CVE-2014-0050 (DoS), CVE-2014-0094 (ClassLoader manipulation) |
Problem
Default The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.
...
If you cannot upgrade to version 2.3.16.1 2 which is strongly advised, you can apply below workarounds:
...
The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed updated jar. For Maven
based Struts 2 projects, the following dependency needs to be added:
...