Apache Struts2 18.104.22.168 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters
Apache Struts2 22.214.171.124 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters. This vulnerability was previously attempted to be addressed in S2-020 ClassLoader manipulation via request parameters. Unfortunately, the correction wasn't sufficient.
Struts2 provides a mapping between Web parameters and Java methods. So an attacker could invoke a specific method on a remote Java server by specifying it in a URL. All Java objects have a getClass() method, which returns the object's Class (this object represents classes). Every Class has a ClassLoader, which is the class that loaded the initial class; an attacker could access the ClassLoader using the Class.getClassLoader() method.
An unauthenticated attacker could manipulate the ClassLoader into disclosing private Class information or possibly load a malicious class file.
The vendor has stated the following workaround:
This vulnerability was publicly reported by Apache Struts2.
This document was written by Michael Orlando and David Svoboda.
|Date First Published:||2014-04-25|
|Date Last Updated:||2014-07-24 21:53 UTC|