Struts2: struts internals manipulation via cookie request headers (S2-022)

Submitted on 21. May 2014 - 16:06 by rischi.
Last update on 22. May 2014 - 6:50.

IDs:

CVE-2014-0116, S2-022

Keywords:

struts2, cookie

Description:

Due to an incomplete fix for CVE-2014-0113 (CVE described in Techzone article [1]), Apache Struts2 version 2.0.0 up to 2.3.16.2 does not block direct access to Java class properties when CookieInterceptor is used.

Resolution:

The cookie store of Airlock, which is active by default, protects back-ends from malicious cookies send by an attacker by removing the cookies from the request. Therefore Airlock prevents the exploitation of this vulnerabiliy.

If you have configured passthrough cookies in Airlock, especially using wildcard characters, we recommend to upgrade struts2 to version 2.3.16.3 or higher.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

Does not affect back-end behind Airlock

Reference:

[1] TZ Article: Struts2: ClassLoader manipulation via request parameters (S2-021)

[2] Apache Struts2 Security Bulletins - S2-022

Main menu

Navigation

User menu

You are here

Struts2: struts internals manipulation via cookie request headers (S2-022)

Main menu

Search form

Navigation

User menu

You are here

Struts2: struts internals manipulation via cookie request headers (S2-022)