SummaryImproves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Maximum security rating
Developers should immediately upgrade to Struts 220.127.116.11
Struts 2.0.0 - Struts 18.104.22.168
Taki Uchiyama (JPCERT/CC), Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), Yoshiyuki Karezaki, BAKA/ty, Shine (1983059165 at qq.com), NSFOCUS Security Team
CVE-2014-0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor
CVE-2014-0113 - ClassLoader manipulation via CookieInterceptor when configured to accept all cookies
The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.
In Struts 22.214.171.124, Commons FileUpload was updated to version 1.3.1 and "class" was added to excludeParams in struts-default.xml configuration of ParametersInterceptor.
No backward compatibility problems are expected.
If you cannot upgrade to version 126.96.36.199 which is strongly advised, you can apply below workarounds:
The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the updated jar. For Maven
based Struts 2 projects, the following dependency needs to be added:
Exclude 'class' parameter
Simple add '^class\.*' to the list of excludeParams as below