Resolution

Struts 2 does not ship with any supported Red Hat product. Applications using a third-party Struts 2 library, deployed to Red Hat JBoss products, may be affected. See below for details.

These flaws allow attackers to manipulate ClassLoader properties on the server. The impact of this depends on which ClassLoader properties are exposed. Exploits for CVE-2014-0094 that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products do expose ClassLoader properties that could potentially be exploited.

The following products expose ClassLoader properties that could be used by an attacker to read or execute files on the server that are outside the context path of the vulnerable Struts 2 application:

• JBoss EAP 4.3 CP10
• JWS 1.0.2 - Tomcat 6.0
• JWS 2.0.1 - Tomcat 6.0 and Tomcat 7.0
• RHEL 6 - Tomcat 6.0

Note: when running on Windows, attackers could use these flaws to achieve remote code execution on the products listed above, if they were able to control the content of a CIFS share that is accessible to the server.

The following products expose ClassLoader properties that could be used by an attacker, but for currently unknown reasons, they do not appear to be exploitable:

• JWS 1.0.2 - Tomcat 5.5
• RHEL 5 - Tomcat 5.5

The following products do not expose ClassLoader properties that are vulnerable to any currently known attack:

• JBoss EAP 6.2.2
• JBoss EAP 5.2.0