You are here

Struts2: ClassLoader manipulation via request parameters (S2-021)

IDs: 
CVE-2014-0112, CVE-2014-0113
Keywords: 
Struts2, OGNL, S2-021
Description: 

An Apache struts2 vulnerability has been released which allows accessing Java class properties by injecting special crafted parameter names containing the string class. This vulnerability is a modified version of the vulnerability described in [2]

Affected Struts2 versions are 2.0.0 up to 2.3.16.1

Airlock is not affected because Apache Struts2 is not installed/used in Airlock.

Resolution: 

If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version 2.3.16.2 or higher or to apply the workaround described in [1].

If you can't update struts2 or apply the workaround you can configure a case-insensitive deny rule with the following parameter name pattern, and enable the deny rule on the affected mapping.

\[["']class["']\]
(^|\.)class[.\[]

The first pattern blocks parameter names of the form class.classLoader or Object.classLoader
The second pattern blocks parameter names of the form Object['class'] or Object["class"]

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration