Interstage Interaction Manager: Struts1 Vulnerability(CVE-2014-0094). June 12th, 2014

Notes on using this web page

1. Description

A security vulnerability found in Struts1 provided by the product.
Because of the vulnerability, a java classloader in Struts1 can be manipulated externally.

All computers in which the product is installed do not affected by the vulnerability.

In the following conditions, the vulnerability may affect computers:

  • Installing Struts1 provided by the product in the environment using application server of third party.
  • Being used Struts1 by the web application.

After referring "Note: Determining the affected product" described later, confirm whether to affect computers or not.

The patches for the vulnerability will be provided.
Contact Service Support Center if you have any questions about the patches.
If you use Struts1 which other product provides, follow the way other product provides to avoid the vulnerability.

The workaround shown in 3-3. are provided, and Fujitsu requests that these be applied promptly.

2. Impact

When receiving the request to attack the vulnerability via internet, the following problems may occur: 

  • Being unable to use web application
  • Reading the any file on a server

If "class.classLoader" is included in the parameter name of the request URL that is recorded in the access log of the web server, the vulnerability of the server may be attacked.

  Example of access log:
    --------------------------------------------------------------------- - - <27/Apr/2014:16:18:04 +0900> "GET /test/

If the vulnerability of the server is attacked without leaving record in the access log, it is not be possible to prove to be attacked.

3. Affected systems and corresponding action

3-1. Affected systems:

PRIMEQUEST 1000/2000 series, PRIMERGY

3-2. Affected products and required patch

Interstage Interaction Manager
ProductsVersionTarget OSPackage namePatch ID.
Interstage Interaction ManagerV10.1.0RHEL6(Intel64)FJSVapcstScheduled

For the solution, please refer to the following "3-3. Workaround".

Note: Determining the affected product

Refer to readme.txt attached the product for the version of the product.

Common example of the vulnerability:
When unspecified large number of computers access the server on which web application runs using Struts1, the vulnerability may affect the server.
Confirm the network configuration of the server.

The ways to confirm whether to install Struts1 or not are as follows:
In the following conditions, Struts1 is installed:

  • When the product runs in the environment using the application server of third party.
  • When the following directories exist:
    • Linux:
      /opt/FJSVapcst/struts, and

If Struts1 is installed, confirm whether the web application uses Struts1 or not in the following manner.

The ways to confirm whether to use Struts1 or not are as follows:

In the following cases, the Struts1 may be used:

  • Setting jar files of Struts1 to class path of web application
  • Packaging jar files of Struts1

Ask the developer of web application if Struts1 is used actually.

  1. The ways to confirm class path
    Refer to documents for the application server of third party to confirm
    whether jar files are set in installation folder of Struts1 of the product.
  2. The ways to confirm whether to package the jar files to web application
    Confirm whether to exist the following jar file in "WEB-INF/lib"directory of war file.
    - struts.jar

Also confirm war file of enterprise application(ear).

3-3. Workaround

Prevent web application from receiving the parameter named "class" and "Class".
For example, the following measures can be considered:

  • In the case of using WAF(Web Application Firewall) and IPS(Intrusion Prevention System) and so on, ask the provider of the product whether to be able to address the vulnerability.
  • Implement a servlet filter and then apply it to each web application.
    The procedures are as follows:
    1. Create a class file after compiling a java program as the following example
      (class name can be set as you like.)
      import javax.servlet.Filter;
      import java.util.regex.Pattern;

      public class StrutsFilter implements Filter {
         static Pattern EXCLUDE_PATTERN = Pattern.compile("(^|¥¥W)[cC]lass¥¥W");

         public void doFilter(ServletRequest req, ServletResponse res,
             FilterChain filter) throws IOException, ServletException {
           Enumeration params = ((HttpServletRequest)req).getParameterNames();
           while (params.hasMoreElements()) {
              String name = (String) params.nextElement();
              if (EXCLUDE_PATTERN.matcher(name).find()) {
                  throw new IllegalArgumentException(name);
           filter.doFilter(req, res);
    2. Set the class created in "i" in web.xml as a filer
         (the name of filer-name can be set as you like.)
        < web-app >
          < filter >
              < filter-name >classfilter< /filter-name >
              < filter-class >StrutsFilter< /filter-class >
          < /filter >
          < filter-mapping >
              < filter-name >classfilter< /filter-name >
              < url-pattern >/*< /url-pattern >
          < /filter-mapping >
        < /web-app >
    3. Package the class file created in "i" and web.xml modified in "ii" as war file, and then deploy them.

      Refer to documents for the application server of third party for the way to deploy web application.

4. Related information

  1. National Vulnerability Database (NVD): CVE-2014-0094

5. Revision history

  • June 12th, 2014: Initial release

Top of Page