SummaryImproves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Maximum security rating
Developers should immediately upgrade to Struts 126.96.36.199
Struts 2.0.0 - Struts 188.8.131.52
NTT-CERT via JPCERT/CC,
CVE-2014-0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor
CVE-2014-0113 - ClassLoader manipulation via CookieInterceptor when configured to accept all cookies
The excluded parameter pattern introduced in version 184.108.40.206 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure
In Struts 220.127.116.11 improved "class" pattern was introduced directly to ParametersInterceptor and CookieInterceptor.
No backward compatibility problems are expected.
If you cannot upgrade to version 18.104.22.168 immediately - which is strongly advised - you can apply below workarounds:
Exclude 'class' parameter
Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the list of excludeParams as below
It isn't possible to do the same with CookieInterceptor, so don't use wildcard mapping to accept cookie names or implement your own version of CookieInterceptor based on code provided in Struts 22.214.171.124.
Please be aware that this workaround is not as complete as the corrections in Struts 126.96.36.199