최근 발견된 인터넷 익스플로러와 플래시의 제로데이는 시작에 불과했습니다. 아파치 스트러츠(Apache Struts)에서도 제로데이가 2개(CVE-2014-0112와 CVE-2014-0113)나 발견되어 아파치 스트러츠 그룹에서는 공식적인 패치가 이루어지기 전까지 사용자들에게 적절한 조치(S2-021)를 안내하고 있습니다.

The recent Internet Explorer and Flash zero-days were not the only zero-day threats that hit recently. Last Friday, the Apache Struts group released an advisory (S2-021) detailing two vulnerabilities (CVE-2014-0112 and CVE-2014-0113), and potential mitigation steps until an official patch is issued.

Apache Struts is a framework used to build and deploy Java-based web applications. In Apache Struts2, most of the core functionality is implemented as Interceptors. These can execute code before and after an Action is invoked and each Interceptor can be mapped to one or more Actions. Two security issues exist in Struts 2 due to improper handling of user supplied parameter values to ParametersInterceptor and CookieInterceptor.

• CVE-2014-0112 was due to incomplete security fix for another recent vulnerability : CVE-2014-0094, which was reported in early March and discussed in S2-020. The vulnerability is caused due to improper handling of class parameter values of the ParametersInterceptor class, which is directly mapped to the getClass() method. Successful exploitation will allow remote attackers to manipulate the ClassLoader objects used by the application server and leads to arbitrary code execution. ParametersInterceptor is one of the in-built Struts interceptors which set all parameters on the value stack and gets them evaluated.
• CVE-2014-0113 is similar to the previous vulnerability. CookieInterceptor is another in-built Interceptor used to set values in the stack/action based on cookie name/value. The Java ClassLoader objects can be manipulated via CookieInterceptor, similar to ParametersInterceptor, when it is configured to accept all cookies (when “*” is used to configure cookiesName param).

Both these vulnerabilities affect Apache Struts versions from 2.0.0 until 2.3.16.2. It is strongly advised that Strust users upgrade to Struts 2.3.16.2. Otherwise, the user can exclude the class parameter from the default configuration as given below.

<interceptor-ref name=”params”>

<param name=”excludeParams”>(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>

</interceptor-ref>

We have released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

• 1006015 – Restrict Apache Struts ‘class.classLoader’ Request
• 1006029 – Restrict Apache Struts ClassLoader Manipulation Via HTTP Cookie Header

원문 : Season of Zero-Days: Multiple Vulnerabilities in Apache Struts
by Pavithra Hanchagaiah (Senior Security Researcher)