SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Struts Vendors:   Apache Software Foundation
Apache Struts Bugs Let Remote Users Deny Service and Manipulate the ClassLoader
SecurityTracker Alert ID:  1029876
SecurityTracker URL:  http://securitytracker.com/id/1029876
CVE Reference:   CVE-2014-0050, CVE-2014-0094   (Links to External Site)
Updated:  Apr 25 2014
Original Entry Date:  Mar 6 2014
Impact:   Denial of service via network, Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.0 - 2.3.16
Description:   Two vulnerabilities were reported in Apache Struts. A remote user can cause denial of service conditions. A remote user can manipulate the ClassLoader.

A remote user can supply specially crafted 'class' parameter values to the ParametersInterceptor class to manipulate the ClassLoader [CVE-2014-0094].

A remote user can send a multipart request with a specially crafted Content-Type header to to trigger a flaw in the Apache Commons FileUpload component and cause denial of service conditions [CVE-2014-0050].

Mark Thomas and Przemyslaw Celej reported these vulnerabilities.

Impact:   A remote user can cause denial of service conditions.

A remote user can manipulate the ClassLoader.

Solution:   The vendor has issued a fix (2.3.16.1).

[Editor's note: The original fix for CVE-2014-0094 is incomplete (see Alert ID 1030152).]

The vendor's advisory is available at:

http://struts.apache.org/release/2.3.x/docs/s2-020.html

Vendor URL:  struts.apache.org/release/2.3.x/docs/s2-020.html (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 25 2014 (VMware Issues Fix for vCenter Operations Management Suite) Apache Struts Bugs Let Remote Users Deny Service and Manipulate the ClassLoader   (VMware Security Announcements <security-announce@lists.vmware.com>)
VMware has issued a fix for vCenter Operations Management Suite 5.8.x.



 Source Message Contents

Date:  Thu, 06 Mar 2014 10:04:12 +0100
Subject:  [ANN] Struts 2.3.16.1 GA release available - security fix

The Apache Struts group is pleased to announce that Struts 2.3.16.1 is
available as a "General Availability" release.The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release includes important security fixes:
- S2-020 - ClassLoader manipulation via request parameters
- upgraded Commons FileUpload library to prevent DoS attacks

* http://struts.apache.org/release/2.3.x/docs/s2-020.html

All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.16.1

Struts 2.3.16.1 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts23161

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 5

The release notes are available online at:
* http://struts.apache.org/release/2.3.x/docs/version-notes-23161.html

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


- The Apache Struts group.


Regards
--=20
=C5=81ukasz
+ 48 606 323 122 http://www.lenart.org.pl/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC