Interstage Interaction Manager: Struts1 Vulnerability(CVE-2014-0094). June 12th, 2014
1. Description
A security vulnerability found in Struts1 provided by the product.
Because of the vulnerability, a java classloader in Struts1 can be manipulated externally.
All computers in which the product is installed do not affected by the vulnerability.
In the following conditions, the vulnerability may affect computers:
- Installing Struts1 provided by the product in the environment using application server of third party.
- Being used Struts1 by the web application.
After referring "Note: Determining the affected product" described later, confirm whether to affect computers or not.
The patches for the vulnerability will be provided.
Contact Service Support Center if you have any questions about the patches.
If you use Struts1 which other product provides, follow the way other product provides to avoid the vulnerability.
The workaround shown in 3-3. are provided, and Fujitsu requests that these be applied promptly.
2. Impact
When receiving the request to attack the vulnerability via internet, the following problems may occur:
- Being unable to use web application
- Reading the any file on a server
If "class.classLoader" is included in the parameter name of the request URL that is recorded in the access log of the web server, the vulnerability of the server may be attacked.
Example of access log:
---------------------------------------------------------------------
192.168.0.1 - - <27/Apr/2014:16:18:04 +0900> "GET /test/test.do?class.classLoader.xxx....
---------------------------------------------------------------------
If the vulnerability of the server is attacked without leaving record in the access log, it is not be possible to prove to be attacked.
3. Affected systems and corresponding action
3-1. Affected systems:
PRIMEQUEST 1000/2000 series, PRIMERGY
3-2. Affected products and required patch
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Interaction Manager | V10.1.0 | RHEL6(Intel64) | FJSVapcst | Scheduled |
For the solution, please refer to the following "3-3. Workaround".
Note: Determining the affected product
Refer to readme.txt attached the product for the version of the product.
Common example of the vulnerability:
When unspecified large number of computers access the server on which web application runs using Struts1, the vulnerability may affect the server.
Confirm the network configuration of the server.
The ways to confirm whether to install Struts1 or not are as follows:
In the following conditions, Struts1 is installed:
- When the product runs in the environment using the application server of third party.
and - When the following directories exist:
- Linux:
/opt/FJSVapcst/struts, and
/opt/FJSVapcst/struts12
- Linux:
If Struts1 is installed, confirm whether the web application uses Struts1 or not in the following manner.
The ways to confirm whether to use Struts1 or not are as follows:
In the following cases, the Struts1 may be used:
- Setting jar files of Struts1 to class path of web application
or - Packaging jar files of Struts1
Ask the developer of web application if Struts1 is used actually.
- The ways to confirm class path
Refer to documents for the application server of third party to confirm
whether jar files are set in installation folder of Struts1 of the product. - The ways to confirm whether to package the jar files to web application
Confirm whether to exist the following jar file in "WEB-INF/lib"directory of war file.
- struts.jar
Also confirm war file of enterprise application(ear).
3-3. Workaround
Prevent web application from receiving the parameter named "class" and "Class".
For example, the following measures can be considered:
- In the case of using WAF(Web Application Firewall) and IPS(Intrusion Prevention System) and so on, ask the provider of the product whether to be able to address the vulnerability.
- Implement a servlet filter and then apply it to each web application.
The procedures are as follows:- Create a class file after compiling a java program as the following example
(class name can be set as you like.)
------
import javax.servlet.Filter;
...
import java.util.regex.Pattern;
public class StrutsFilter implements Filter {
static Pattern EXCLUDE_PATTERN = Pattern.compile("(^|¥¥W)[cC]lass¥¥W");
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain filter) throws IOException, ServletException {
Enumeration params = ((HttpServletRequest)req).getParameterNames();
while (params.hasMoreElements()) {
String name = (String) params.nextElement();
if (EXCLUDE_PATTERN.matcher(name).find()) {
throw new IllegalArgumentException(name);
}
}
filter.doFilter(req, res);
}
...
}
------ - Set the class created in "i" in web.xml as a filer
(the name of filer-name can be set as you like.)
Example:
------
< web-app >
...
< filter >
< filter-name >classfilter< /filter-name >
< filter-class >StrutsFilter< /filter-class >
< /filter >
< filter-mapping >
< filter-name >classfilter< /filter-name >
< url-pattern >/*< /url-pattern >
< /filter-mapping >
...
< /web-app >
------ - Package the class file created in "i" and web.xml modified in "ii" as war file, and then deploy them.
Refer to documents for the application server of third party for the way to deploy web application.
- Create a class file after compiling a java program as the following example
4. Related information
- National Vulnerability Database (NVD): CVE-2014-0094
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094
5. Revision history
- June 12th, 2014: Initial release
