Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    The recent Internet Explorer and Flash zero-days were not the only zero-day threats that hit recently. Last Friday, the Apache Struts group released an advisory (S2-021) detailing two vulnerabilities (CVE-2014-0112 and CVE-2014-0113), and potential mitigation steps until an official patch is issued.

    Apache Struts is a framework used to build and deploy Java-based web applications. In Apache Struts2, most of the core functionality is implemented as Interceptors. These can execute code before and after an Action is invoked and each Interceptor can be mapped to one or more Actions. Two security issues exist in Struts 2 due to improper handling of user supplied parameter values to ParametersInterceptor and CookieInterceptor.

    • CVE-2014-0112 was due to incomplete security fix for another recent vulnerability : CVE-2014-0094, which was reported in early March and discussed in S2-020. The vulnerability is caused due to improper handling of class parameter values of the ParametersInterceptor class, which is directly mapped to the getClass() method. Successful exploitation will allow remote attackers to manipulate the ClassLoader objects used by the application server and leads to arbitrary code execution. ParametersInterceptor is one of the in-built Struts interceptors which set all parameters on the value stack and gets them evaluated.
    • CVE-2014-0113 is similar to the previous vulnerability. CookieInterceptor is another in-built Interceptor used to set values in the stack/action based on cookie name/value. The Java ClassLoader objects can be manipulated via CookieInterceptor, similar to ParametersInterceptor, when it is configured to accept all cookies (when “*” is used to configure cookiesName param).

    Both these vulnerabilities affect Apache Struts versions from 2.0.0 until 2.3.16.2. It is strongly advised that Strust users upgrade to Struts 2.3.16.2. Otherwise, the user can exclude the class parameter from the default configuration as given below.

    <interceptor-ref name=”params”>

    <param name=”excludeParams”>(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>

    </interceptor-ref>

    We have released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

    • 1006015 – Restrict Apache Struts ‘class.classLoader’ Request
    • 1006029 – Restrict Apache Struts ClassLoader Manipulation Via HTTP Cookie Header




    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice