You are here

Struts2: ClassLoader manipulation via request parameters (S2-020)

IDs: 
CVE-2014-0094
Keywords: 
struts2, OGNL, S2-020
Description: 

An Apache struts2 vulnerability has been released which allows accessing Java class properties by injecting special crafted parameter names containing the string class. (parameter names will be interpreted as OGNL expressions).

Affected Struts2 versions are 2.0.0 up to 2.3.16 

Airlock is not affected because Apache Struts2 is not installed/used in Airlock.

Resolution: 

If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.16.1 or higher or to apply the workaround described in [1].

If you can't update struts2 or apply the workaround you can configure a case-insensitive deny rule with the following parameter name pattern, and enable the deny rule on the affected mapping.

\[["']class["']\]
(^|\.)class[.\[]

The first pattern blocks parameter names of the form class.classLoader or Object.classLoader
The second pattern blocks parameter names of the form Object['class'] or Object["class"]

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration