ID

VAR-201403-0506


CVE

CVE-2014-0094


TITLE

** Delete ** Apache Struts of ParametersInterceptor In ClassLoader Vulnerability manipulated

Trust: 0.8

sources: JVNDB: JVNDB-2014-001603

DESCRIPTION

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ** Delete ** This case JVNDB-2014-000045 It was removed because it was found to be duplicated. JVNDB-2014-000045 Please refer to. Apache Struts is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-06-24 (Initial Advisory) CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any patch pending * vCO 5.5 any patch pending vCO 5.1 any patch pending vCO 4.2 any patch pending *Customers are advised to apply the workaround or update to vCOps 5.8.2. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 ----------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFTqi0BDEcm8Vbi9kMRAnCKAJ9otVO7DlXuMnSEGh2TLBzS5hniKgCeMnAM CZ5+DYZAydCjMwVgtKqoo7Y= =Vwu5 -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2014-0094 // JVNDB: JVNDB-2014-001603 // BID: 65999 // VULMON: CVE-2014-0094 // PACKETSTORM: 127215

AFFECTED PRODUCTS

vendor:apachemodel:strutsscope:ltversion:2.3.16.1

Trust: 1.8

vendor:apachemodel:strutsscope:gteversion:2.0.0

Trust: 1.0

vendor:fujitsumodel:integrated system ha database readyscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business analytics modeling server

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business process manager analytics

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:extreme transaction processing server

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:mobile manager

Trust: 0.8

vendor:fujitsumodel:interstage application development cycle managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage service integratorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage studioscope: - version: -

Trust: 0.8

vendor:fujitsumodel:serverviewscope:eqversion:resource orchestrator

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:analytics server

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:server

Trust: 0.8

vendor:fujitsumodel:systemwalker service catalog managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:systemwalker service quality coordinatorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:systemwalker software configuration managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:triolescope:eqversion:cloud middle set b set

Trust: 0.8

vendor:fujitsumodel:cloud infrastructure management softwarescope: - version: -

Trust: 0.8

vendor:apachemodel:strutsscope:eqversion:2.3.12

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.14.2

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.0.11.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.14

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.3

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.14.3

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.15

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.0.11.2

Trust: 0.6

vendor:apachemodel:software foundation strutsscope:eqversion:2.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11

Trust: 0.3

vendor:ibmmodel:storwize unifiedscope:eqversion:v70001.3.0.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.3.1.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.11

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.7

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.8

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.4

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.6

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.14

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.3.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.9

Trust: 0.3

vendor:ibmmodel:storwize unifiedscope:eqversion:v70001.3.1.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.8

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.3.1.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.8.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.4

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.12

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.6

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.13

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.10

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11.2

Trust: 0.3

vendor:ibmmodel:storwize unifiedscope:eqversion:v70001.3.0.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2

Trust: 0.3

sources: BID: 65999 // JVNDB: JVNDB-2014-001603 // CNNVD: CNNVD-201403-191 // NVD: CVE-2014-0094

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-0094
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201403-191
value: MEDIUM

Trust: 0.6

VULMON: CVE-2014-0094
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-0094
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

sources: VULMON: CVE-2014-0094 // CNNVD: CNNVD-201403-191 // NVD: CVE-2014-0094

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-0094

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-191

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201403-191

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001603

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2014-0094

PATCH

title:S2-021url:http://struts.apache.org/release/2.3.x/docs/s2-021.html

Trust: 0.8

title:S2-020url:http://struts.apache.org/release/2.3.x/docs/s2-020.html

Trust: 0.8

title:CVE-2014-0094 他 に関する影響url:http://software.fujitsu.com/jp/security/vulnerabilities/cve2014-0094-0114.html

Trust: 0.8

title:Interstage BPMA他 CVE-2014-0094url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_bpma201401.html

Trust: 0.8

title:Interstage Application Development Cycle Manager(ADM): strutsの脆弱性(CVE-2014-0094) (2014年5月27日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_aplidevcyclemgr_201401.html

Trust: 0.8

title:Symfoware Server(Openインタフェース): Strutsの脆弱性(CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116) (2014年6月2日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/symfoware_201402.html

Trust: 0.8

title:struts-2.3.16.1-allurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=48603

Trust: 0.6

title:Debian CVElist Bug Report Logs: libstruts1.2-java: CVE-2014-0114url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=96f4091aa31a0ece729fdcb110066df5

Trust: 0.1

title:Red Hat: CVE-2014-0094url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2014-0094

Trust: 0.1

title:VMware Security Advisories: VMware product updates address security vulnerabilities in Apache Struts libraryurl:https://vulmon.com/vendoradvisory?qidtp=vmware_security_advisories&qid=3f8f92a767d3e2773247be2d5077cbee

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - April 2015url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4b527561ba1a5de7a529c8a93679f585

Trust: 0.1

title:CVE-2014-0094-test-program-for-struts1url:https://github.com/HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1

Trust: 0.1

sources: VULMON: CVE-2014-0094 // JVNDB: JVNDB-2014-001603 // CNNVD: CNNVD-201403-191

EXTERNAL IDS

db:NVDid:CVE-2014-0094

Trust: 2.9

db:SECTRACKid:1029876

Trust: 2.4

db:BIDid:65999

Trust: 1.9

db:PACKETSTORMid:127215

Trust: 1.7

db:JVNid:JVN19294237

Trust: 1.6

db:SECUNIAid:56440

Trust: 1.6

db:SECUNIAid:59178

Trust: 1.6

db:JVNDBid:JVNDB-2014-000045

Trust: 1.6

db:JVNDBid:JVNDB-2014-001603

Trust: 0.8

db:CNNVDid:CNNVD-201403-191

Trust: 0.6

db:VULMONid:CVE-2014-0094

Trust: 0.1

sources: VULMON: CVE-2014-0094 // BID: 65999 // JVNDB: JVNDB-2014-001603 // PACKETSTORM: 127215 // CNNVD: CNNVD-201403-191 // NVD: CVE-2014-0094

REFERENCES

url:http://www.securitytracker.com/id/1029876

Trust: 2.4

url:http://jvn.jp/en/jp/jvn19294237/index.html

Trust: 1.6

url:http://www.securityfocus.com/archive/1/532549/100/0/threaded

Trust: 1.6

url:http://jvndb.jvn.jp/jvndb/jvndb-2014-000045

Trust: 1.6

url:http://www.vmware.com/security/advisories/vmsa-2014-0007.html

Trust: 1.6

url:http://www.securityfocus.com/archive/1/531362/100/0/threaded

Trust: 1.6

url:http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm

Trust: 1.6

url:http://secunia.com/advisories/59178

Trust: 1.6

url:http://www-01.ibm.com/support/docview.wss?uid=swg21676706

Trust: 1.6

url:http://secunia.com/advisories/56440

Trust: 1.6

url:http://www.securityfocus.com/bid/65999

Trust: 1.6

url:http://packetstormsecurity.com/files/127215/vmware-security-advisory-2014-0007.html

Trust: 1.6

url:http://www.konakart.com/downloads/ver-7-3-0-0-whats-new

Trust: 1.6

url:http://struts.apache.org/release/2.3.x/docs/s2-020.html

Trust: 1.6

url:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Trust: 1.6

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0094

Trust: 0.9

url:http://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0094

Trust: 0.8

url:http://struts.apache.org/

Trust: 0.3

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0050

Trust: 0.1

url:https://twitter.com/vmwaresrc

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0112

Trust: 0.1

url:https://www.vmware.com/support/policies/lifecycle.html

Trust: 0.1

url:http://kb.vmware.com/kb/2081470

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0112

Trust: 0.1

url:http://kb.vmware.com/kb/1055

Trust: 0.1

url:http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

Trust: 0.1

url:https://www.vmware.com/support/policies/security_response.html

Trust: 0.1

url:http://www.vmware.com/security/advisories

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0050

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0094

Trust: 0.1

url:https://www.vmware.com/go/download-vcops

Trust: 0.1

sources: BID: 65999 // JVNDB: JVNDB-2014-001603 // PACKETSTORM: 127215 // CNNVD: CNNVD-201403-191 // NVD: CVE-2014-0094

CREDITS

Mark Thomas and Przemyslaw Celej

Trust: 0.3

sources: BID: 65999

SOURCES

db:VULMONid:CVE-2014-0094
db:BIDid:65999
db:JVNDBid:JVNDB-2014-001603
db:PACKETSTORMid:127215
db:CNNVDid:CNNVD-201403-191
db:NVDid:CVE-2014-0094

LAST UPDATE DATE

2024-08-14T13:01:39.181000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2014-0094date:2019-08-12T00:00:00
db:BIDid:65999date:2015-07-15T00:14:00
db:JVNDBid:JVNDB-2014-001603date:2014-06-03T00:00:00
db:CNNVDid:CNNVD-201403-191date:2019-08-15T00:00:00
db:NVDid:CVE-2014-0094date:2019-08-12T21:15:12.140

SOURCES RELEASE DATE

db:VULMONid:CVE-2014-0094date:2014-03-11T00:00:00
db:BIDid:65999date:2014-03-06T00:00:00
db:JVNDBid:JVNDB-2014-001603date:2014-03-12T00:00:00
db:PACKETSTORMid:127215date:2014-06-25T21:34:12
db:CNNVDid:CNNVD-201403-191date:2014-03-12T00:00:00
db:NVDid:CVE-2014-0094date:2014-03-11T13:00:37.107