By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2014-0114

Remote Code Execution

Affects

Apache Commons BeanUtils

<=1.9.2

Struts

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications.

‍

A Remote Code Execution (RCE) vulnerability (CVE-2014-0114) has been identified in the BeanUtils dependency of Struts 1. This vulnerability allows attackers to execute arbitrary commands on affected servers by injecting malicious input into RESTful API endpoints, exploiting improper input sanitization mechanisms.

‍

Per the Open Web Application Security Project (OWASP): "Code Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."

‍

This issue affects multiple versions before and including 1.3.10.

‍

Details

Module Info

Product: Apache Struts 1
Affected packages: struts-core, commons-beanutils
Affected versions: <=1.3.10
GitHub repository: https://github.com/apache/struts1
Package manager: Maven
Fixed in: NES for Struts Struts 1 v1.3.11

‍

Vulnerability Info

This vulnerability affects Apache Commons BeanUtils, as distributed in commons-beanutils and used in Apache Struts 1.x through 1.3.10, along with other products that rely on Commons BeanUtils through version 1.9.2. The flaw arises from the failure to suppress the class property, which allows remote attackers to manipulate the ClassLoader and execute arbitrary code. This can be exploited by passing a malicious class parameter to the getClass method of the ActionForm object in Struts 1, potentially leading to remote code execution (RCE).

‍

This vulnerability exists in Apache Commons BeanUtils 1.9.2, where a BeanIntrospector class was introduced to suppress access to the class property, mitigating the risk of attackers accessing the ClassLoader. However, the suppression was not enabled by default in the PropertyUtilsBean, leaving applications vulnerable to attacks if proper configuration was not applied. This issue could lead to unintended exposure of sensitive methods, potentially facilitating arbitrary code execution. CVE-2019-10086 was created to address this issue, and version 1.9.4 resolves it by suppressing the class property by default.

‍

Steps To Reproduce

By appending malicious query parameters to requests, such as ?class.classLoader…={value}, an attacker can manipulate the ClassLoader and potentially execute arbitrary code. This exploit leverages the unsuppressed class property to gain unauthorized access to critical application components, making it a high-risk vector for remote code execution (RCE).

‍

Credit

Red Hat, Inc

Mitigation

Struts 1 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade BeanUtils to version 1.9.4 or later, or manually suppress the class property in versions 1.9.2 and later.
Leverage a commercial support partner like HeroDevs for post-EOL security support.