Mitigating The Apache Struts ClassLoader Manipulation Vulnerabilities Using ASM
Background
Recently the F5 security research team has witnessed a series of CVE’s created for the popular Apache Struts platform.
From Wikipedia:
Apache Struts was an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. It was originally created by Craig McClanahan and donated to the Apache Foundation in May, 2000. Formerly located under the Apache Jakarta Project and known as Jakarta Struts, it became a top-level Apache project in 2005.
The initial CVE-2014-0094 disclosed a critical vulnerability that allows an attacker to manipulate ClassLoader by using the ‘class’ parameter, which is directly mapped to the getClass() method through the ParametersInterceptor module in the Struts framework.
The Apache Struts security bulletin recommended upgrading to Struts 2.3.16.1 to mitigate the vulnerability.
Alternatively, users were also able to mitigate this vulnerability using a configuration change on their current Struts installations.
The mitigation included adding the following regular expression to the list of disallowed parameters in ParametersInterceptor:
After several weeks, the solution was found to be incomplete, and sparked four new CVE’s: CVE-2014-0112, CVE-2014-0113, CVE-2014-0114 and CVE-2014-0116.
Note: During the initial release of this article, CVE-2014-0114 and CVE-2014-0116 were not yet publicly disclosed, and weren't mentioned in this article.
The article has now been edited to include mitigation for these CVEs as well.
CVE-2014-0112 mentions the ClassLoader vulnerability still existing in parameters, and the security advisory for it suggests a new regular expression to include in the ParametersInterceptor config: