Announcement Announcement Module
Collapse
No announcement yet.
Apache Struts ClassLoader Manipulation Vulnerability in IBM Products Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Apache Struts ClassLoader Manipulation Vulnerability in IBM Products

    Apache Struts ClassLoader Manipulation Vulnerability in IBM Products

    Severity Rating: High

    Systems Affected

    • IBM WebSphere Application Server Version 7 & 6.1
    • IBM WebSphere Application Server Hypervisor Edition Version 7 & 6.1
    • IBM WebSphere Lombardi Edition version 7.2 and earlier
    • IBM Business Process Manager Standard Version 7.5.x, 8.0.x & 8.5.x
    • IBM Business Process Manager Express Version 7.5.x, 8.0.x & 8.5.x
    • IBM Business Process Manager Advanced Version 7.5.x, 8.0.x & 8.5.x

    Component Affected

    • Apache Struts version 1.x to 1.3.10

    Overview

    A vulnerability has been reported in Apache Struts platform, which could allow unauthenticated remote attacker to execute arbitrary code on the system.

    Description

    The vulnerability exists in ActionForm object in Apache Struts due to improperly restricting access to the "class" parameter which is directly mapped to "getclass()" method. A remote attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the class loader used by the application server running struts.

    Successful exploitation of this vulnerability could allow remote attacker to execute arbitrary code on the system.

    Solution

    Apply appropriate patches as mentioned in IBM’s support.

    http://www-01.ibm.com/support/docvie...id=swg21674435
    http://www-01.ibm.com/support/docvie...id=swg21672316

    Vendor Information
    IBM
    https://www-304.ibm.com/support/docv...id=swg21672316

    References
    Secunia
    http://secunia.com/advisories/cve_re.../CVE-2014-0114

    REDHAT
    https://access.redhat.com/security/cve/CVE-2014-0114

    Security Focus
    http://www.securityfocus.com/bid/67121/

    Security Tracker
    http://securitytracker.com/id/1030245
Tag Cloud Tag Cloud Module
Collapse
Working...
X