Discussion:
[ANN][SECURITY] Struts 1 - CVE-2014-0114 -Mitigation Advice Available, Possible RCE Impact
Rene Gielen
2014-05-01 18:59:12 UTC
Permalink
As confirmed in our last announcement, the Apache Struts 1 framework in
all versions is affected by a ClassLoader manipulation vulnerability
(CVE-2014-0114) similar to a recently fixed vulnerability in Struts 2
(CVE-2014-0112, CVE-2014-0094) [1].

Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the
Apache Struts project team can recommend a first mitigation that is
relatively simple to apply. It involves the introduction of a generic
Servlet filter, adding the possibility to blacklist unacceptable request
parameters based on regular expressions. Please see the corresponding HP
Fortify blog entry [2] for detailed instructions.

The HP Fortify team also informed us that the vulnerability may be
exploited for Remote Code Execution (RCE) in certain environments. Based
on this information, the Apache Struts project team recommends to apply
the mitigation advice *immediately* for all Struts 1 based applications.

Struts 1 has had its End-Of-Life announcement more than one year ago
[3]. However, in a cross project effort the Struts team is looking for a
correction or an improved mitigation path. Please stay tuned for further
information regarding a solution.

This is a cross-list posting. If you have questions regarding this
report, please direct them to security-pMnX+1kI5w9d/SJB6HiN2Ni2O/***@public.gmane.org only.

[1] http://struts.apache.org/release/2.3.x/docs/s2-021.html
[2]
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro
[3] http://struts.apache.org/struts1eol-announcement.html
--
René Gielen
http://twitter.com/rgielen
Eric Reed
2014-05-01 19:10:25 UTC
Permalink
Rene,

Thank you for your insight and advice.

I have successfully secured 5 production applications with proof of
concept before and after and have re-deployed these critical
applications in under 4 hours with very little down time.

Best Regards,
Eric
As confirmed in our last announcement, the Apache Struts 1 framework
in
all versions is affected by a ClassLoader manipulation vulnerability
(CVE-2014-0114) similar to a recently fixed vulnerability in Struts 2
(CVE-2014-0112, CVE-2014-0094) [1].

Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the
Apache Struts project team can recommend a first mitigation that is
relatively simple to apply. It involves the introduction of a generic
Servlet filter, adding the possibility to blacklist unacceptable
request
parameters based on regular expressions. Please see the corresponding
HP
Fortify blog entry [2] for detailed instructions.

The HP Fortify team also informed us that the vulnerability may be
exploited for Remote Code Execution (RCE) in certain environments.
Based
on this information, the Apache Struts project team recommends to
apply
the mitigation advice *immediately* for all Struts 1 based
applications.

Struts 1 has had its End-Of-Life announcement more than one year ago
[3]. However, in a cross project effort the Struts team is looking for
a
correction or an improved mitigation path. Please stay tuned for
further
information regarding a solution.

This is a cross-list posting. If you have questions regarding this
report, please direct them to security-pMnX+1kI5w9d/SJB6HiN2Ni2O/***@public.gmane.org only.

[1] http://struts.apache.org/release/2.3.x/docs/s2-021.html
[2]
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro

[3] http://struts.apache.org/struts1eol-announcement.html
--
René Gielen
http://twitter.com/rgielen
Rene Gielen
2014-05-01 18:59:12 UTC
Permalink
As confirmed in our last announcement, the Apache Struts 1 framework in
all versions is affected by a ClassLoader manipulation vulnerability
(CVE-2014-0114) similar to a recently fixed vulnerability in Struts 2
(CVE-2014-0112, CVE-2014-0094) [1].

Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the
Apache Struts project team can recommend a first mitigation that is
relatively simple to apply. It involves the introduction of a generic
Servlet filter, adding the possibility to blacklist unacceptable request
parameters based on regular expressions. Please see the corresponding HP
Fortify blog entry [2] for detailed instructions.

The HP Fortify team also informed us that the vulnerability may be
exploited for Remote Code Execution (RCE) in certain environments. Based
on this information, the Apache Struts project team recommends to apply
the mitigation advice *immediately* for all Struts 1 based applications.

Struts 1 has had its End-Of-Life announcement more than one year ago
[3]. However, in a cross project effort the Struts team is looking for a
correction or an improved mitigation path. Please stay tuned for further
information regarding a solution.

This is a cross-list posting. If you have questions regarding this
report, please direct them to ***@struts.apache.org only.

[1] http://struts.apache.org/release/2.3.x/docs/s2-021.html
[2]
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro
[3] http://struts.apache.org/struts1eol-announcement.html
--
René Gielen
http://twitter.com/rgielen
Eric Reed
2014-05-01 19:10:25 UTC
Permalink
Rene,

Thank you for your insight and advice.

I have successfully secured 5 production applications with proof of
concept before and after and have re-deployed these critical
applications in under 4 hours with very little down time.

Best Regards,
Eric
As confirmed in our last announcement, the Apache Struts 1 framework
in
all versions is affected by a ClassLoader manipulation vulnerability
(CVE-2014-0114) similar to a recently fixed vulnerability in Struts 2
(CVE-2014-0112, CVE-2014-0094) [1].

Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the
Apache Struts project team can recommend a first mitigation that is
relatively simple to apply. It involves the introduction of a generic
Servlet filter, adding the possibility to blacklist unacceptable
request
parameters based on regular expressions. Please see the corresponding
HP
Fortify blog entry [2] for detailed instructions.

The HP Fortify team also informed us that the vulnerability may be
exploited for Remote Code Execution (RCE) in certain environments.
Based
on this information, the Apache Struts project team recommends to
apply
the mitigation advice *immediately* for all Struts 1 based
applications.

Struts 1 has had its End-Of-Life announcement more than one year ago
[3]. However, in a cross project effort the Struts team is looking for
a
correction or an improved mitigation path. Please stay tuned for
further
information regarding a solution.

This is a cross-list posting. If you have questions regarding this
report, please direct them to ***@struts.apache.org only.

[1] http://struts.apache.org/release/2.3.x/docs/s2-021.html
[2]
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro

[3] http://struts.apache.org/struts1eol-announcement.html
--
René Gielen
http://twitter.com/rgielen
Loading...