Vulnerability in Apache Struts Could Allow Remote Code Execution

ITS Advisory Number: 
2014-038
Date(s) Issued: 
Friday, April 25, 2014
Subject: 
Vulnerability in Apache Struts Could Allow Remote Code Execution
Overview: 

A vulnerability has been discovered for Apache Software Foundation Struts versions 2.0.0 - 2.3.16.1. Apache Struts is an open source framework used for building Java web applications. Successful exploitation of this vulnerability could allow for a denial of service condition which would then allow the attacker to perform remote code execution. Within the context of the application, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

At this time there is a proof-of-concept available. Also there is no patch available from Apache, but mitigation steps have been provided in the links below.  

Systems Affected: 
  • Apache Struts  2.0.0 - 2.3.16.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability has been discovered in Apache Struts versions 2.0.0 - 2.3.16.1 that, when exploited, will first result in a Denial of Service (DoS) condition to bypass a previously released patch issued in version 2.3.16.1. After bypassing the patch, remote code execution becomes possible by allowing for the mapping of shared hosting directories on affected products using impacted versions of Struts. Successful exploitation of this vulnerability could allow for a denial of service condition which would then allow the attacker to perform remote code execution. Within the context of the application, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability is caused when ClassLoader manipulation exploitation occurs because of Struts failure to restrict access to the class' parameter which is directly mapped to 'getClass()' method through 'ParametersInterceptor'. This issue was previously thought to have been resolved by updating to version 2.3.16.1, but the patch did not resolve the issue and as a result can be bypassed and exploited.

At this time there is a proof-of-concept available. Also there is no patch available from Apache, but mitigation steps have been provided in the links below. 

'
Actions: 
  • Incorporate the mitigation steps provided by Apache (see REFERENCES below).
  • Apply the update from Apache, as soon as one becomes available, after appropriate testing.
References: 
Apache:
http://mail-archives.us.apache.org/mod_mbox/www-announce/201404.mbox/%[email protected]%3E
http://struts.apache.org/announce.html#a20140424
Security Focus:
http://www.securityfocus.com/bid/65999
http://www.securityfocus.com/bid/67064
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
PwnTesting:
http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/