The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Struts 1: code execution via ClassLoader

Synthesis of the vulnerability 

An attacker can use the "class" parameter, to manipulate the ClassLoader, in order to execute code.
Impacted products: Struts, Debian, BIG-IP Hardware, TMOS, Fedora, SiteScope, IRAD, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Puppet, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity of this bulletin: 3/4.
Creation date: 26/05/2014.
Références of this threat: 1672316, 1673982, 1674339, 1675822, 2016214, c04399728, c05324755, CERTFR-2014-AVI-382, cpuapr2017, cpujan2018, cpujan2019, cpuoct2017, cpuoct2018, CVE-2014-0114, DSA-2940-1, ESA-2014-080, FEDORA-2014-9380, HPSBGN03669, HPSBMU03090, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, MDVSA-2014:095, RHSA-2014:0474-01, RHSA-2014:0497-01, RHSA-2014:0500-01, RHSA-2014:0511-01, RHSA-2018:2669-01, SOL15282, SUSE-SU-2014:0902-1, swg22017525, VIGILANCE-VUL-14799, VMSA-2014-0008, VMSA-2014-0008.1, VMSA-2014-0008.2, VMSA-2014-0012.

Description of the vulnerability 

The Apache Struts product is used to develop Java EE applications.

However, the "class" parameter is mapped to getClass(), and can be used to manipulate the ClassLoader.

An attacker can therefore use the "class" parameter, to manipulate the ClassLoader, in order to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness announce impacts software or systems such as Struts, Debian, BIG-IP Hardware, TMOS, Fedora, SiteScope, IRAD, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Puppet, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this security alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this vulnerability.

Solutions for this threat 

Apache Struts 1: workaround for ClassLoader.
A workaround is indicated in the information source.

Apache commons-beanutils: version 1.9.2.
The version 1.9.2 is fixed:
  http://commons.apache.org/proper/commons-beanutils/

Continuous Delivery for Puppet Enterprise: version 2.18.2.
The version 2.18.2 is fixed:
  https://puppet.com/

Debian: new libstruts1.2-java packages.
New packages are available:
  Debian 7: libstruts1.2-java 1.2.9-5+deb7u1

F5 BIG-IP: solution for Struts.
The solution is indicated in information sources.

Fedora: new struts packages.
New packages are available:
  Fedora 20: struts 1.3.10-10.fc20

HPE SiteScope: patch.
A patch is indicated in information sources.

HP SiteScope: patch for Apache Struts.
Patches are available in the information source for versions 11.1x and 11.2x.

IBM Rational Application Developer: patch for Struts.
A patch is available in information sources.

IBM Tivoli Storage Manager: patch for Integrated Portal.
A patch is available:
  http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Integrated+Portal&release=All&platform=All&function=aparId&apars=PI18558

IBM Tivoli System Automation Application Manager: solution for WebSphere AS.
The solution is indicated in information sources.

IBM WebSphere AS: patch for Apache Struts / Commons.
A patch is indicated in information sources.

Mandriva: new struts packages.
New packages are available:
  Mandriva ES5: struts 1.2.9-6.1mdvmes5.2
  Mandriva BS1: struts 1.3.10-3.1.mbs1

Oracle Communications: CPU of January 2019.
A Critical Patch Update is available:
  https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Fusion Middleware: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2228898.1

Oracle Fusion Middleware: CPU of January 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2325393.1

Oracle Fusion Middleware: CPU of October 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2296870.1

Oracle Fusion Middleware: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2433477.1

Puppet Enterprise: versions 2018.1.5 and 2019.0.1.
Versions 2018.1.5 and 2019.0.1 are fixed:
  https://puppet.com/

Red Hat JBoss Fuse: version 6.1.0 Patch 1.
The version 6.1.0 Patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0

Red Hat JBoss Fuse: version 7.1.
The version 7.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0

Red Hat JBoss Operations Network: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0

Red Hat Satellite: new struts packages.
New packages are available:
  RHEL 6: struts 1.3.10-6.ep5.el6

RHEL 5: new struts packages.
New packages are available:
  RHEL 5: struts 1.2.9-4jpp.8.el5_10

RSA Authentication Manager: solution for Apache Struts.
The solution is indicated on:
  https://knowledge.rsasecurity.com/

SUSE LE: new struts packages.
New packages are available:
  SUSE LE 11: struts 1.2.9-162.33.1

VMware vCenter: version 5.0 Update 3c.
The version 5.0 Update 3c is fixed:
  https://www.vmware.com/go/download-vsphere

VMware vCenter: version 5.1 Update 3.
The version 5.1 Update 3 is fixed:
  https://www.vmware.com/go/download-vsphere

VMware vCenter: version 5.5 Update 2.
The version 5.5 Update 2 is fixed:
  https://www.vmware.com/go/download-vsphere

WebSphere AS: patch for Struts.
A patch is available in information sources.

WebSphere Enterprise Service: solution for Apache Struts.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability alert. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.