Apache Struts ActionForm ClassLoader Security Bypass Vulnerability
Publish Date: 21 luglio 2015
Gravità: : Alto
Identificatori CVE: CVE-2014-0114
Data notifica: 21 luglio 2015
Descrizione
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Informazioni esposizione:
Apply associated Trend Micro DPI Rules.
Soluzioni
Trend Micro Deep Security DPI Rule Number: 1006015
Trend Micro Deep Security DPI Rule Name: 1006015 - Restrict Apache Struts 'class.classLoader' Request
Software e versione interessati:
- apache struts 1.0
- apache struts 1.0.2
- apache struts 1.1
- apache struts 1.2.2
- apache struts 1.2.4
- apache struts 1.2.6
- apache struts 1.2.7
- apache struts 1.2.8
- apache struts 1.2.9
- apache struts 1.3.10
- apache struts 1.3.5
- apache struts 1.3.8