Does CVE-2014-0114 affect Struts 1 in Red Hat products?

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 5.x
  • Red Hat Network Satellite
    • 5.6
    • 5.5
    • 5.4
  • Red Hat JBoss Fuse
    • 6.x
  • Fuse ESB Enterprise
    • 7.x
  • Red Hat JBoss Operations Network (JON)
    • 3.x

Issue

Resolution

Initial triage indicates that all releases of Struts 1 are affected by this issue. This means that all Red Hat products that include Struts 1 are potentially vulnerable. Struts 1 is no longer supported upstream, and an upstream patch may not necessarily be shipped.

The environment section of this article lists all supported Red Hat products that include Struts 1. Red Hat released the following patches:

This flaw allows attackers to manipulate ClassLoader properties on the server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products do expose ClassLoader properties that could potentially be exploited.

The following products expose ClassLoader properties that could be used by an attacker to read or execute files on the server that are outside the context path of the vulnerable Struts 1 application:

  • Red Hat Network Satellite 5.x on RHEL 6 (Tomcat 6)
  • Fuse ESB Enterprise 7.1.0
  • Red Hat JBoss Fuse 6.0

The following products expose ClassLoader properties that could be used by an attacker, but for currently unknown reasons, they do not appear to be exploitable:

  • RHEL 5 - Tomcat 5.5
  • Red Hat Network Satellite 5.x on RHEL 5 (Tomcat 5.5)

The following products do not expose ClassLoader properties that are vulnerable to any currently known attack:

  • JON 3.2.0

Root Cause

CVE-2014-0094 and CVE-2014-0112 describe flaws in Struts 2, that allow a remote attacker to manipulate the class loader on a vulnerable server, potentially leading to arbitrary remote code execution. Several security researchers have identified that Struts 1 is vulnerable to a similar issue, and some of these reports use CVE-2014-0094 to identify the flaw in Struts 1. The Apache security team has announced that Struts 1 is affected by a similar issue, and assigned CVE-2014-0114 to the flaw in Struts 1.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.