-
Sub-task
-
Resolution: Done
-
High
-
None
-
None
-
A&AI Sprint 9, A&AI Sprint 10, AAI Sprint 11, AAI Sprint 12, AAI Sprint 13
Issue
CVE-2014-0114
Source
National Vulnerability Database
Severity
CVE CVSS 2.0: 7.5
Weakness
CVE CWE: 20
Description from CVE
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Explanation
Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution.
Note: This vulnerability is also the root cause of CVE-2017-3503.
Detection
If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control.
Recommendation
commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant in version 1.9.2 that specifically suppresses the class property. However, this is not enabled by default.
We recommend filtering the class property name by using either:
The SUPPRESS_CLASS specialized instance of SuppressPropertiesBeanIntrospector
A custom instance of SuppressPropertiesBeanIntrospector that will suppress the class property.
Alternatively, you can implement a custom servlet filter as described in https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
Categories
Data
Root Cause
commons-beanutils-1.9.2.jar : [1.9.2,)
Advisories
Project: https://issues.apache.org/jira/browse/BEANUTILS-463
Attack: http://www.rapid7.com/db/modules/exploit/multi/http/struts_c...