Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 508946 (CVE-2014-0112) - dev-java/struts : Two Vulnerabilities (CVE-2014-{0112,0113})
Summary: dev-java/struts : Two Vulnerabilities (CVE-2014-{0112,0113})
Status: RESOLVED FIXED
Alias: CVE-2014-0112
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/58016/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-28 09:21 UTC by Agostino Sarubbo
Modified: 2016-02-07 11:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-28 09:21:26 UTC
From ${URL} :

Description

Two vulnerabilities have been reported in Apache Struts, which can be exploited by malicious people to bypass certain security restrictions.

1) The application allows access to the "class" parameter which is directly mapped to the "getClass()" method via the ParametersInterceptor.

This vulnerability is caused due to an incomplete fix of CVE-2014-0094.

For more information see vulnerability #1 in:
SA56440

2) The application allows access to the "class" parameter which is directly mapped to the "getClass()" method via the CookieInterceptor. This can be exploited to manipulate the ClassLoader used by the application server.

Successful exploitation of this vulnerability requires that the application is configured to accept all cookies.

The vulnerabilities are reported in versions prior to 2.3.16.2.


Solution:
Update to version 2.3.16.2.

Provided and/or discovered by:
JPCERT/CC. The vendor additionally credits Takeshi Terada and Takayoshi Isayama, Mitsui Bussan Secure Directions, Inc., Yoshiyuki Karezaki, BAKA/ty, Shine, NSFOCUS Security Team, heige.

Original Advisory:
Apache Struts S2-021:
http://struts.apache.org/development/2.x/docs/s2-021.html

JVN (English):
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
http://jvn.jp/en/jp/JVN19294237/index.html


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 18:00:45 UTC
CVE-2014-0113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0113):
  CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard
  cookiesName value is used, does not properly restrict access to the getClass
  method, which allows remote attackers to "manipulate" the ClassLoader and
  execute arbitrary code via a crafted request.  NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2014-0094.

CVE-2014-0112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0112):
  ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly
  restrict access to the getClass method, which allows remote attackers to
  "manipulate" the ClassLoader and execute arbitrary code via a crafted
  request.  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2014-0094.
Comment 2 Patrice Clement gentoo-dev 2016-02-07 11:09:56 UTC
This package has been removed, along with all the struts related ebuilds. See bug 540888.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2016-02-07 11:22:28 UTC
The package is gone.