Sign-up

ID

VAR-201403-0506


CVE

CVE-2014-0094


TITLE

** Delete ** Apache Struts of ParametersInterceptor In ClassLoader Vulnerability manipulated

Trust: 0.8

sources: JVNDB: JVNDB-2014-001603

DESCRIPTION

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ** Delete ** This case JVNDB-2014-000045 It was removed because it was found to be duplicated. JVNDB-2014-000045 Please refer to. Apache Struts is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-06-24 (Initial Advisory) CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any patch pending * vCO 5.5 any patch pending vCO 5.1 any patch pending vCO 4.2 any patch pending *Customers are advised to apply the workaround or update to vCOps 5.8.2. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 ----------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFTqi0BDEcm8Vbi9kMRAnCKAJ9otVO7DlXuMnSEGh2TLBzS5hniKgCeMnAM CZ5+DYZAydCjMwVgtKqoo7Y= =Vwu5 -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2014-0094 // JVNDB: JVNDB-2014-001603 // BID: 65999 // VULMON: CVE-2014-0094 // PACKETSTORM: 127215

AFFECTED PRODUCTS

vendor:apachemodel:strutsscope:ltversion:2.3.16.1

Trust: 1.8

vendor:apachemodel:strutsscope:gteversion:2.0.0

Trust: 1.0

vendor:fujitsumodel:integrated system ha database readyscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business analytics modeling server

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business process manager analytics

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:extreme transaction processing server

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:mobile manager

Trust: 0.8

vendor:fujitsumodel:interstage application development cycle managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage service integratorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage studioscope: - version: -

Trust: 0.8

vendor:fujitsumodel:serverviewscope:eqversion:resource orchestrator

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:analytics server

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:server

Trust: 0.8

vendor:fujitsumodel:systemwalker service catalog managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:systemwalker service quality coordinatorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:systemwalker software configuration managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:triolescope:eqversion:cloud middle set b set

Trust: 0.8

vendor:fujitsumodel:cloud infrastructure management softwarescope: - version: -

Trust: 0.8

vendor:apachemodel:strutsscope:eqversion:2.3.12

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.14.2

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.0.11.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.14

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.3

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.14.3

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.15

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.0.11.2

Trust: 0.6

vendor:apachemodel:software foundation strutsscope:eqversion:2.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11

Trust: 0.3

vendor:ibmmodel:storwize unifiedscope:eqversion:v70001.3.0.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.3.1.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.11

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.7

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.8

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.4

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.6

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.14

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.3.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.9

Trust: 0.3

vendor:ibmmodel:storwize unifiedscope:eqversion:v70001.3.1.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.8

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.3.1.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.8.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.4

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.12

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.6

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.13

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.10

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11.2

Trust: 0.3

vendor:ibmmodel:storwize unifiedscope:eqversion:v70001.3.0.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2

Trust: 0.3

sources: BID: 65999 // JVNDB: JVNDB-2014-001603 // CNNVD: CNNVD-201403-191 // NVD: CVE-2014-0094

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-0094
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201403-191
value: MEDIUM

Trust: 0.6

VULMON: CVE-2014-0094
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-0094
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

sources: VULMON: CVE-2014-0094 // CNNVD: CNNVD-201403-191 // NVD: CVE-2014-0094

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-0094

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-191

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201403-191

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001603

EXPLOIT AVAILABILITY
sources:
            
            
            VULMON: CVE-2014-0094

PATCH
title:S2-021url:http://struts.apache.org/release/2.3.x/docs/s2-021.html
Trust: 0.8
title:S2-020url:http://struts.apache.org/release/2.3.x/docs/s2-020.html
Trust: 0.8
title:CVE-2014-0094 他 に関する影響url:http://software.fujitsu.com/jp/security/vulnerabilities/cve2014-0094-0114.html
Trust: 0.8
title:Interstage BPMA他 CVE-2014-0094url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_bpma201401.html
Trust: 0.8
title:Interstage Application Development Cycle Manager(ADM): strutsの脆弱性(CVE-2014-0094) (2014年5月27日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_aplidevcyclemgr_201401.html
Trust: 0.8
title:Symfoware Server(Openインタフェース): Strutsの脆弱性(CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116) (2014年6月2日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/symfoware_201402.html
Trust: 0.8
title:struts-2.3.16.1-allurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=48603
Trust: 0.6
title:Debian CVElist Bug Report Logs: libstruts1.2-java: CVE-2014-0114url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=96f4091aa31a0ece729fdcb110066df5
Trust: 0.1
title:Red Hat: CVE-2014-0094url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2014-0094
Trust: 0.1
title:VMware Security Advisories: VMware product updates address security vulnerabilities in Apache Struts libraryurl:https://vulmon.com/vendoradvisory?qidtp=vmware_security_advisories&qid=3f8f92a767d3e2773247be2d5077cbee
Trust: 0.1
title:Oracle: Oracle Critical Patch Update Advisory - April 2015url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4b527561ba1a5de7a529c8a93679f585
Trust: 0.1
title:CVE-2014-0094-test-program-for-struts1url:https://github.com/HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2014-0094 // 
            
            
            
            JVNDB: JVNDB-2014-001603 // 
            
            
            
            CNNVD: CNNVD-201403-191

EXTERNAL IDS
db:NVDid:CVE-2014-0094
Trust: 2.9
db:SECTRACKid:1029876
Trust: 2.4
db:BIDid:65999
Trust: 1.9
db:PACKETSTORMid:127215
Trust: 1.7
db:JVNid:JVN19294237
Trust: 1.6
db:SECUNIAid:56440
Trust: 1.6
db:SECUNIAid:59178
Trust: 1.6
db:JVNDBid:JVNDB-2014-000045
Trust: 1.6
db:JVNDBid:JVNDB-2014-001603
Trust: 0.8
db:CNNVDid:CNNVD-201403-191
Trust: 0.6
db:VULMONid:CVE-2014-0094
Trust: 0.1
sources:
            
            
            VULMON: CVE-2014-0094 // 
            
            
            
            BID: 65999 // 
            
            
            
            JVNDB: JVNDB-2014-001603 // 
            
            
            
            PACKETSTORM: 127215 // 
            
            
            
            CNNVD: CNNVD-201403-191 // 
            
            
            
            NVD: CVE-2014-0094

REFERENCES
url:http://www.securitytracker.com/id/1029876
Trust: 2.4
url:http://jvn.jp/en/jp/jvn19294237/index.html
Trust: 1.6
url:http://www.securityfocus.com/archive/1/532549/100/0/threaded
Trust: 1.6
url:http://jvndb.jvn.jp/jvndb/jvndb-2014-000045
Trust: 1.6
url:http://www.vmware.com/security/advisories/vmsa-2014-0007.html
Trust: 1.6
url:http://www.securityfocus.com/archive/1/531362/100/0/threaded
Trust: 1.6
url:http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
Trust: 1.6
url:http://secunia.com/advisories/59178
Trust: 1.6
url:http://www-01.ibm.com/support/docview.wss?uid=swg21676706
Trust: 1.6
url:http://secunia.com/advisories/56440
Trust: 1.6
url:http://www.securityfocus.com/bid/65999
Trust: 1.6
url:http://packetstormsecurity.com/files/127215/vmware-security-advisory-2014-0007.html
Trust: 1.6
url:http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
Trust: 1.6
url:http://struts.apache.org/release/2.3.x/docs/s2-020.html
Trust: 1.6
url:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0094
Trust: 0.9
url:http://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0094
Trust: 0.8
url:http://struts.apache.org/
Trust: 0.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0050
Trust: 0.1
url:https://twitter.com/vmwaresrc
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0112
Trust: 0.1
url:https://www.vmware.com/support/policies/lifecycle.html
Trust: 0.1
url:http://kb.vmware.com/kb/2081470
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0112
Trust: 0.1
url:http://kb.vmware.com/kb/1055
Trust: 0.1
url:http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
Trust: 0.1
url:https://www.vmware.com/support/policies/security_response.html
Trust: 0.1
url:http://www.vmware.com/security/advisories
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0050
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-0094
Trust: 0.1
url:https://www.vmware.com/go/download-vcops
Trust: 0.1
sources:
            
            
            BID: 65999 // 
            
            
            
            JVNDB: JVNDB-2014-001603 // 
            
            
            
            PACKETSTORM: 127215 // 
            
            
            
            CNNVD: CNNVD-201403-191 // 
            
            
            
            NVD: CVE-2014-0094

CREDITS
Mark Thomas and Przemyslaw Celej
Trust: 0.3
sources:
            
            
            BID: 65999

SOURCES
db:VULMONid:CVE-2014-0094
db:BIDid:65999
db:JVNDBid:JVNDB-2014-001603
db:PACKETSTORMid:127215
db:CNNVDid:CNNVD-201403-191
db:NVDid:CVE-2014-0094

LAST UPDATE DATE
2024-08-14T13:01:39.181000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2014-0094date:2019-08-12T00:00:00
db:BIDid:65999date:2015-07-15T00:14:00
db:JVNDBid:JVNDB-2014-001603date:2014-06-03T00:00:00
db:CNNVDid:CNNVD-201403-191date:2019-08-15T00:00:00
db:NVDid:CVE-2014-0094date:2019-08-12T21:15:12.140

SOURCES RELEASE DATE
db:VULMONid:CVE-2014-0094date:2014-03-11T00:00:00
db:BIDid:65999date:2014-03-06T00:00:00
db:JVNDBid:JVNDB-2014-001603date:2014-03-12T00:00:00
db:PACKETSTORMid:127215date:2014-06-25T21:34:12
db:CNNVDid:CNNVD-201403-191date:2014-03-12T00:00:00
db:NVDid:CVE-2014-0094date:2014-03-11T13:00:37.107