Overview
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The framework is widely used to create enterprise-level Java web applications.
A security bypass vulnerability (CVE-2014-0094) has been identified in the ParametersInterceptor component of Apache Struts versions 2.0.0 through 2.3.16.1. This vulnerability allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method. Exploiting this vulnerability could lead to unauthorized access and potential remote code execution.
This issue affects versions of Apache Struts from 2.0.0 up to, but not including, 2.3.16.2.
Details
Module Info
- Product: Apache Struts
- Affected packages: struts2-core
- Affected versions: >=2.0.0, <2.3.16.2
- GitHub repository: https://github.com/apache/struts
- Published packages: https://mvnrepository.com/artifact/org.apache.struts/struts2-core
- Package manager: Maven
- Fixed in: Apache Struts 2.3.16.2
Vulnerability Info
This medium-severity vulnerability is found in the ParametersInterceptor component of Apache Struts. The vulnerability arises because the ParametersInterceptor does not properly restrict access to the ClassLoader. An attacker can exploit this by manipulating the class parameter, which is passed to the getClass method, allowing unauthorized access to the ClassLoader. This can lead to potential remote code execution and unauthorized access to sensitive information.Steps To ReproduceTo reproduce this vulnerability in a controlled environment, you would need an Apache Struts application running an affected version and configured to use the ParametersInterceptor.
- Set up a vulnerable Apache Struts application:
- Create a simple web application using a vulnerable Apache Struts version, such as 2.3.16.1.
- Define an action class named ExampleAction.java as shown in the example above.
- Configure the application to use the ParametersInterceptor in struts.xml:
<action name="exampleAction" class="com.example.ExampleAction"> - <interceptor-ref name="params"/>
- <result name="success">/success.jsp</result>
- </action>
- Deploy and launch the application.
- Craft an attack payload:
- Construct a URL that includes the class parameter to manipulate the ClassLoader:
http://localhost:8080/app/exampleAction?class.classLoader=com.example.CustomClassLoader
- Construct a URL that includes the class parameter to manipulate the ClassLoader:
- Send the malicious request:
- Use a web browser or a tool like curl to send the crafted URL to the server:
curl -X GET "http://localhost:8080/app/exampleAction?class.classLoader=com.example.CustomClassLoader”
- Use a web browser or a tool like curl to send the crafted URL to the server:
Credits
- This vulnerability was disclosed by Apache Software Foundation.
Mitigation
Users of the affected components should apply one of the following mitigations:To mitigate this issue, users should take the following steps:
- Move to secure versions of Apache Struts.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
