Uploaded image for project: 'Active and Available Inventory'
  1. Active and Available Inventory
  2. AAI-595 Review security issues: aai-resources
  3. AAI-794

CVE-2014-0114 [maven] commons-beanutils : commons-beanutils : 1.9.2

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: High High
    • Beijing Release
    • None
    • None
    • A&AI Sprint 9, A&AI Sprint 10, AAI Sprint 11, AAI Sprint 12, AAI Sprint 13

      Issue

      CVE-2014-0114
      Source

      National Vulnerability Database
      Severity

      CVE CVSS 2.0: 7.5
      Weakness
      CVE CWE: 20
      Description from CVE
      Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
      Explanation

      Apache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution.

      Note: This vulnerability is also the root cause of CVE-2017-3503.
      Detection

      If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control.
      Recommendation

      commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant in version 1.9.2 that specifically suppresses the class property. However, this is not enabled by default.

      We recommend filtering the class property name by using either:

      The SUPPRESS_CLASS specialized instance of SuppressPropertiesBeanIntrospector
      A custom instance of SuppressPropertiesBeanIntrospector that will suppress the class property.

      Alternatively, you can implement a custom servlet filter as described in https://community.hpe.com/t5/Security-Research/Protect-your-Struts1-applications/ba-p/6463188#.VCUfrhYvBaV.
      Categories

      Data
      Root Cause

      commons-beanutils-1.9.2.jar : [1.9.2,)
      Advisories

      Project: https://issues.apache.org/jira/browse/BEANUTILS-463
      Attack: http://www.rapid7.com/db/modules/exploit/multi/http/struts_c...

            rx2202 rx2202
            jimmydot jimmydot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: