Summary

Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possibility to change internal state of session, request, etc

Maximum security rating

Moderate

Recommendation

Developers should immediately upgrade to Struts 2.3.20

Affected Software

Struts 2.0.0 - Struts 2.3.16.3

Reporter

Zubair Ashraf of IBM X-Force

CVE Identifier

CVE-2014-0116 - Struts' internals manipulation via CookieInterceptor

Problem

The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases and because of that attacker can change state of session, request and so on (when "*" is used to configure cookiesName param).

Solution

In Struts 2.3.20 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe.

Backward compatibility

No backward compatibility problems are expected.

Workaround

If you cannot upgrade to version 2.3.20 immediately - which is strongly advised - don't use wildcard mapping to accept cookie names or implement your own version of CookieInterceptor based on code provided in Struts 2.3.20.


  • No labels