ID

VAR-201404-0288

CVE

CVE-2014-0114

TITLE

Apache Struts  And other products distributed  Apache Commons BeanUtils  In  ClassLoader  Vulnerability to be manipulated

DESCRIPTION

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. (CVE-2014-0114) Refer to the readme.txt file included with the patch files for installation instructions. For the stable distribution (wheezy), this problem has been fixed in version 1.2.9-5+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1.2.9-9. We recommend that you upgrade your libstruts1.2-java packages. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Apache Struts is a framework for building web applications with Java. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/struts-1.2.9-4jpp.8.el5_10.src.rpm i386: struts-1.2.9-4jpp.8.el5_10.i386.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm x86_64: struts-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/struts-1.2.9-4jpp.8.el5_10.src.rpm i386: struts-1.2.9-4jpp.8.el5_10.i386.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm ia64: struts-1.2.9-4jpp.8.el5_10.ia64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.ia64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.ia64.rpm struts-manual-1.2.9-4jpp.8.el5_10.ia64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.ia64.rpm ppc: struts-1.2.9-4jpp.8.el5_10.ppc.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.ppc.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.ppc.rpm struts-manual-1.2.9-4jpp.8.el5_10.ppc.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.ppc.rpm s390x: struts-1.2.9-4jpp.8.el5_10.s390x.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.s390x.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.s390x.rpm struts-manual-1.2.9-4jpp.8.el5_10.s390x.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.s390x.rpm x86_64: struts-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0114.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. Release Date: 2014-08-12 Last Updated: 2014-08-12 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP SiteScope . References: CVE-2014-0114 (SSRT101662) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP SiteScope: v11.1x, v11.2x BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-0114 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided patches for HP SiteScope to address the vulnerability. Download the patch from HP Software Support Online according to the table below. SiteScope Affected version Resolution patch details Link to download 11.1x SiteScope 11.13 Windows 32-bit Cumulative Fixes http://support.openview.hp.com/selfsolve/document/LID/SIS_00315 SiteScope 11.13 Windows 64-bit Cumulative Fixes http://support.openview.hp.com/selfsolve/document/LID/SIS_00316 SiteScope 11.13 Linux 32-bit Cumulative Fixes http://support.openview.hp.com/selfsolve/document/LID/SIS_00317 SiteScope 11.13 Linux 64-bit Cumulative Fixes http://support.openview.hp.com/selfsolve/document/LID/SIS_00318 SiteScope 11.13 Solaris 32-bit Cumulative Fixes http://support.openview.hp.com/selfsolve/document/LID/SIS_00319 SiteScope 11.13 Solaris 64-bit Cumulative Fixes http://support.openview.hp.com/selfsolve/document/LID/SIS_00320 11.2x SiteScope 11.24.271 Intermediate Patch for Windows 32bit and 64bit http://support.openview.hp.com/selfsolve/document/LID/SIS_00321 SiteScope 11.24.271 Intermediate Patch for Windows 32bit on 64bit http://support.openview.hp.com/selfsolve/document/LID/SIS_00322 SiteScope 11.24.271 Intermediate Patch for Linux http://support.openview.hp.com/selfsolve/document/LID/SIS_00323 SiteScope 11.24.271 Intermediate Patch for Solaris http://support.openview.hp.com/selfsolve/document/LID/SIS_00324 HISTORY Version:1 (rev.1) - 12 August 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. - HP Device Manager 7.6.1-06 - HP XP P9000 Tiered Storage Manager 7.6.1-06 - HP XP P9000 Replication Manager 7.6.1-06 - HP XP7 Global Link Manager Software 7.6.0-02 - HP Device Manager 8.0.0-06 - HP XP P9000 Tiered Storage Manager 8.0.0-06 - HP XP P9000 Replication Manager 8.0.0-06 - HP XP7 Global Link Manager Software 8.0.0-01 HISTORY Version:1 (rev.1) - 27 October 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Description: Red Hat Satellite is a systems management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0008 Synopsis: VMware vSphere product updates to third party libraries Issue date: 2014-09-09 Updated on: 2014-09-09 (Initial Advisory) CVE numbers: --- Struts --- CVE-2014-0114 --- tc-server --- CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050 --- glibc --- CVE-2013-0242 and CVE-2013-1914 --- JRE --- See references - ------------------------------------------------------------------------ 1. Summary VMware has updated vSphere third party libraries 2. Relevant releases VMware vCenter Server 5.5 prior to Update 2 VMware vCenter Update Manager 5.5 prior to Update 2 VMware ESXi 5.5 without patch ESXi550-201409101-SG 3. Problem Description a. vCenter Server Apache Struts Update The Apache Struts library is updated to address a security issue. This issue may lead to remote code execution after authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-0114 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any Patch Pending vCenter Server 5.0 any Patch Pending b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates tc-server has been updated to version 2.9.5 to address multiple security issues. This version of tc-server includes Apache Tomcat 7.0.52. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any Patch Pending vCenter Server 5.0 any Patch Pending c. Update to ESXi glibc package glibc is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 5.5 any ESXi550-201409101-SG ESXi 5.1 any Patch Pending ESXi 5.0 any Patch Pending d. vCenter and Update Manager, Oracle JRE 1.7 Update 55 Oracle has documented the CVE identifiers that are addressed in JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update Advisory of April 2014. The References section provides a link to this advisory. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any not applicable * vCenter Server 5.0 any not applicable * vCenter Update Manager 5.5 any 5.5 Update 2 vCenter Update Manager 5.1 any not applicable * vCenter Update Manager 5.0 any not applicable * * this product uses the Oracle JRE 1.6.0 family * 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server and Update Manager 5.5u2 --------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere ESXi 5.5 -------- Download: https://www.vmware.com/patchmgr/findPatch.portal 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914 JRE --- Oracle Java SE Critical Patch Update Advisory of April 2014 http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html - ------------------------------------------------------------------------ 6. Change log 2014-09-09 VMSA-2014-0008 Initial security advisory in conjunction with the release of vSphere 5.5 Update 2 on 2014-09-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC he8AihUDo3UB9amCBiImxq0= =W0+t -----END PGP SIGNATURE----- . Thanks to the efforts of Alvaro Munoz and the HP Fortify team, the Apache Struts project team can recommend a first mitigation that is relatively simple to apply. It involves the introduction of a generic Servlet filter, adding the possibility to blacklist unacceptable request parameters based on regular expressions. Please see the corresponding HP Fortify blog entry [2] for detailed instructions. Based on this information, the Apache Struts project team recommends to apply the mitigation advice *immediately* for all Struts 1 based applications. Struts 1 has had its End-Of-Life announcement more than one year ago [3]. However, in a cross project effort the Struts team is looking for a correction or an improved mitigation path. Please stay tuned for further information regarding a solution. This is a cross-list posting. If you have questions regarding this report, please direct them to security@struts.apache.org only. [1] http://struts.apache.org/release/2.3.x/docs/s2-021.html [2] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro [3] http://struts.apache.org/struts1eol-announcement.html -- Ren\xe9 Gielen http://twitter.com/rgielen

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation error

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Rene Gielen

SOURCES

LAST UPDATE DATE

2024-12-25T19:50:24.473000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE