Rapid7 VulnDB

RHSA-2014:0474: struts security update

Back to Search

RHSA-2014:0474: struts security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
04/30/2014
Created
07/25/2018
Added
05/08/2014
Modified
07/04/2017

Description

Apache Struts is a framework for building web applications with Java.It was found that the Struts 1 ActionForm object allowed access to the'class' parameter, which is directly mapped to the getClass() method. Aremote attacker could use this flaw to manipulate the ClassLoader used byan application server running Struts 1. This could lead to remote codeexecution under certain conditions. (CVE-2014-0114)All struts users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. All running applicationsusing struts must be restarted for this update to take effect.

Solution(s)

  • redhat-upgrade-struts
  • redhat-upgrade-struts-debuginfo
  • redhat-upgrade-struts-javadoc
  • redhat-upgrade-struts-manual
  • redhat-upgrade-struts-webapps-tomcat5

References

  • redhat-upgrade-struts
  • redhat-upgrade-struts-debuginfo
  • redhat-upgrade-struts-javadoc
  • redhat-upgrade-struts-manual
  • redhat-upgrade-struts-webapps-tomcat5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;