Apache Struts ActionForm ClassLoader Security Bypass Vulnerability
Publish Date: 21 Juli 2015
Schweregrad:: Hoch
CVE Kennungen:: CVE-2014-0114
Hinweisdatum: 21 Juli 2015
Beschreibung
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Trend Micro Lösungen
Apply associated Trend Micro DPI Rules.
Lösungen
Trend Micro Deep Security DPI Rule Number: 1006015
Trend Micro Deep Security DPI Rule Name: 1006015 - Restrict Apache Struts 'class.classLoader' Request
Betroffene Software und Version:
- apache struts 1.0
- apache struts 1.0.2
- apache struts 1.1
- apache struts 1.2.2
- apache struts 1.2.4
- apache struts 1.2.6
- apache struts 1.2.7
- apache struts 1.2.8
- apache struts 1.2.9
- apache struts 1.3.10
- apache struts 1.3.5
- apache struts 1.3.8