Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Apache Struts ClassLoader Manipulation Vulnerability in IBM Products

 

Systems Affected


IBM WebSphere Application Server Version 7 & 6.1
IBM WebSphere Application Server Hypervisor Edition Version 7 & 6.1
IBM WebSphere Lombardi Edition version 7.2 and earlier
IBM Business Process Manager Standard Version 7.5.x, 8.0.x & 8.5.x
IBM Business Process Manager Express Version 7.5.x, 8.0.x & 8.5.x
IBM Business Process Manager Advanced Version 7.5.x, 8.0.x & 8.5.x

Threat Level


High


Overview


Vulnerability has been reported in Apache Struts platform, which could allow unauthenticated remote attacker to execute arbitrary code on the system.


Description


The vulnerability exists in ActionForm object in Apache Struts due to improperly restricting access to the "class" parameter which is directly mapped to "getclass()" method. A remote attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the class loader used by the application server running struts. Successful exploitation of this vulnerability could allow remote attacker to execute arbitrary code on the system.


Impact



Solution/ Workarounds


Apply appropriate patches as mentioned in IBM support.

http://www-01.ibm.com/support/docview.wss?uid=swg21674435
http://www-01.ibm.com/support/docview.wss?uid=swg21672316


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.