You are here

Struts2: ClassLoader manipulation via request parameters (S2-021)

CVE-2014-0112, CVE-2014-0113
Struts2, OGNL, S2-021

An Apache struts2 vulnerability has been released which allows accessing Java class properties by injecting special crafted parameter names containing the string class. This vulnerability is a modified version of the vulnerability described in [2]

Affected Struts2 versions are 2.0.0 up to

Airlock is not affected because Apache Struts2 is not installed/used in Airlock.


If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version or higher or to apply the workaround described in [1].

If you can't update struts2 or apply the workaround you can configure a case-insensitive deny rule with the following parameter name pattern, and enable the deny rule on the affected mapping.


The first pattern blocks parameter names of the form class.classLoader or Object.classLoader
The second pattern blocks parameter names of the form Object['class'] or Object["class"]

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration