Vulnerability

Apache Struts ClassLoader Manipulation Security Bypass Vulnerability

Publish date: July 21, 2015

CVE-2014-0094,CVE-2014-0112,CVE-2014-0114

SEVERITY

MEDIUM

//  ADVISORY DATE

24 APR 2014


DESCRIPTION

The ParametersInterceptor in Apache Struts allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

TREND MICRO PROTECTION INFORMATION

Apply associated Trend Micro DPI Rules.

SOLUTION

Trend Micro Deep Security DPI Rule Number: 1006015

Trend Micro Deep Security DPI Rule Name: 1006015 - Restrict Apache Struts 'class.classLoader' Request

AFFECTED SOFTWARE AND VERSION

  • apache struts 2.0.0
  • apache struts 2.0.1
  • apache struts 2.0.10
  • apache struts 2.0.11
  • apache struts 2.0.11.1
  • apache struts 2.0.11.2
  • apache struts 2.0.12
  • apache struts 2.0.13
  • apache struts 2.0.14
  • apache struts 2.0.2
  • apache struts 2.0.3
  • apache struts 2.0.4
  • apache struts 2.0.5
  • apache struts 2.0.6
  • apache struts 2.0.7
  • apache struts 2.0.8
  • apache struts 2.0.9
  • apache struts 2.1.0
  • apache struts 2.1.1
  • apache struts 2.1.2
  • apache struts 2.1.3
  • apache struts 2.1.4
  • apache struts 2.1.5
  • apache struts 2.1.6
  • apache struts 2.1.8
  • apache struts 2.1.8.1
  • apache struts 2.2.1
  • apache struts 2.2.1.1
  • apache struts 2.2.3
  • apache struts 2.2.3.1
  • apache struts 2.3.1
  • apache struts 2.3.1.1
  • apache struts 2.3.1.2
  • apache struts 2.3.12
  • apache struts 2.3.14
  • apache struts 2.3.14.1
  • apache struts 2.3.14.2
  • apache struts 2.3.14.3
  • apache struts 2.3.15
  • apache struts 2.3.15.1
  • apache struts 2.3.15.2
  • apache struts 2.3.15.3
  • apache struts 2.3.16
  • apache struts 2.3.3
  • apache struts 2.3.4
  • apache struts 2.3.4.1
  • apache struts 2.3.7
  • apache struts 2.3.8

Featured Stories

Connect with us on