OSDN -- Développer et télécharger des logiciels Open Source
Traduction statut du Français translation status for fr
edit | Title Index |  Recent Changes  | 

Apache Struts 1.2.9 with SP1 by NTT DATA

Introduction

NTT DATA fixed the vulnerability in Apache Struts 1 (CVE-2014-0114) and provided Apache Struts 1.2.9 with Security Patch 1 contributed by NTT DATA (hereinafter referred to as, Struts 1.2.9 sp1) under the Apache License, Version 2.0 as TERASOLUNA Framework bundles Apache struts 1.2.9.

TERASOLUNA Framework is NTT DATA’s framework with high credibility and has a large number of proven track records. Based on de-facto standard technologies in the system development field, TERASOLUNA is used in hundreds of projects in NTT DATA to achieve the high quality and productivity in a system development.

  • CVE-2014-0114
    • In Struts 1.x - 1.3.10, there is a vulnerability in which, using the nature of request parameter named “class” getting mapped to getClass method, ActionForm can operate ClassLoader and execution of any code becomes possible.

Struts 1.2.9 sp1

Struts 1.2.9 sp1 contains the following changes to Struts 1.2.9.

  • Changes
    1. In populate() method of RequestUtils class, if any request parameter fulfills either of the following conditions, the parameter is considered as an unacceptable request parameter. If a prefix is set in the struts-config.xml, a request parameter name without the prefix is checked.
      • A request parameter name starts with “class.”.
      • A request parameter name includes “.class.”.
    2. If an unacceptable request parameter is included in the request parameters, the parameter shall not be stored in the ActionForm and the Info level logging is output. The rest of request parameters are processed as normal transitions.
      • Log Example: [yyyy/mm/dd hh:mm:ss][INFO][RequestUtils] ignore parameter: paramName=class.xxx.case1
  • Location of changes

The Conditions for the unacceptable request parameter

This condition is a minimum requisite to eliminate the malicious request and was derived from the following fact: Struts1 is internally case-sensitive for handling the parameter, e.g. first letter of “class”. If the parameter is “Class”(starts with the upper case) the attack on this vulnerability will not succeed.

Constraints

With this update, if DynaActionForm has a property with the name of “class”(Type: JavaBean), the value of that property cannot be set from a request parameter.

Upgrading Struts 1.2.9 to Struts 1.2.9 sp1

Replace the existing Struts jar file “struts.jar”, with the “struts.jar” provided in this update.

Only “struts.jar” has to be replaced. No change is required for the libraries on which struts has a dependency.

Building Struts 1.2.9 sp1 from source code

The following procedure is to build the jar file (“struts.jar”) from the source-code of struts-1.2.9-sp1 provided in this update.

  1. Installing JDK1.3.1_04
  2. Installing apache-ant-1.6.1 and addition of libraries
    Add the following libraries under the lib directory of ant after deploying apache-ant-1.6.1.
    • commons-logging-1.0.4.jar
    • junit-3.8.1.jar
    • xalan-2.5.1.jar
  3. Deploying the source of struts-1.2.9-sp1
    Unzip the source-code zip file in any directory of choice and create a lib folder directly under the “struts-1.2.9-sp1-src” folder.
  4. Deploying jar files necessary for build
    Place the following jar files in any directory of choice.
    • antlr-2.7.2.jar
    • checkstyle-2.4.jar
    • commons-beanutils-1.7.0.jar
    • commons-digester-1.6.jar
    • commons-fileupload-1.0.jar
    • commons-logging-1.0.4.jar
    • commons-validator-1.1.4.jar
    • junit-3.8.1.jar
    • log4j-1.2.14.jar
    • servletapi-2.3.jar
    • xerces-1.4.4.jar
    • oro-2.0.7.jar
    • jakarta-taglibs-standard-1.0
      • jstl.jar
      • standard.jar
    • jakarta-tomcat-4.0.6
      • jdbc2_0-stdext.jar
  5. Creating configuration files for build
    Rename build.properties.sample to build.properties and change the paths in the properties file according to the environment of the respective project.
  6. Setting the environment variables used in build
    Set the below environment variables according to the environment of the respective project.
    • JAVA_HOME
    • ANT_HOME
  7. Execute ant and build

Download

References

CVE - CVE-2014-0114

JVNDB-2014-002308 - JVN iPedia – Vulnerability Countermeasure Information Database

Regarding the countermeasure for vulnerability of Apache Struts2 (CVE-2014-0094)(CVE-2014-0112)(CVE-2014-0113):IPA Information Technology Promotion Agency, Japan

Disclaimer

Unless required by applicable law or agreed to in writing, Struts 1.2.9 sp1 distributed under the Apache License, Version 2.0 is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the Apache License, Version 2.0 for the specific language governing permissions and limitations under the License.

*TERASOLUNA is a registered trademark or trademark of NTT DATA Corporation in Japan and other countries.
*Other company names, product names and service names mentioned are trademarks or registered trademarks of the respective companies(owners).

edit history delete
config

[PageInfo]  LastUpdate: 2014-05-23 10:06:07, ModifiedBy: sejimos
[Permissions]  view:all, edit:members, delete/config:members
[IRI]  https://fr.osdn.net/projects/terasoluna/wiki/StrutsPatch1-EN