Remote code execution in Apache Struts
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-0112 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Apache Struts Server applications / Frameworks for developing and running applications |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU68588
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2014-0112
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions within the getClass method in ParametersInterceptor. A remote non-authenticated attacker can manipulate the ClassLoader via a specially crafted request and execute arbitrary code on the system.
Note, the vulnerability exists due to incomplete fix for #VU5234 (CVE-2014-0094).
Install updates from vendor's website.
Vulnerable software versionsApache Struts: 2.0.0 - 2.3.16.1
CPE2.3- cpe:2.3:a:apache_foundation:struts:2.0.0:*:*:*:*:apache_tomcat:*:*
- cpe:2.3:a:apache_foundation:struts:*:*:*:*:*:apache_tomcat:*:*
- cpe:2.3:a:apache_foundation:struts:2.0.3:*:*:*:*:apache_tomcat:*:*
- cpe:2.3:a:apache_foundation:struts:2.0.4:*:*:*:*:apache_tomcat:*:*
- cpe:2.3:a:apache_foundation:struts:2.0.5:*:*:*:*:apache_tomcat:*:*
- cpe:2.3:a:apache_foundation:struts:2.0.8:*:*:*:*:apache_tomcat:*:*
- cpe:2.3:a:apache_foundation:struts:2.0.9:*:*:*:*:apache_tomcat:*:*
https://jvn.jp/en/jp/JVN19294237/index.html
https://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
https://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
https://secunia.com/advisories/59178
https://secunia.com/advisories/59500
https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
https://www.securityfocus.com/archive/1/531952/100/0/threaded
https://www.securityfocus.com/archive/1/532549/100/0/threaded
https://www.securityfocus.com/bid/67064
https://www.vmware.com/security/advisories/VMSA-2014-0007.html
https://www-01.ibm.com/support/docview.wss?uid=swg21676706
https://access.redhat.com/errata/RHSA-2019:0910
https://bugzilla.redhat.com/show_bug.cgi?id=1091939
https://cwiki.apache.org/confluence/display/WW/S2-021
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
