Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

ClassLoader Manipulation: Struts

Universal

Abstract

The target application uses a version of Apache Struts known to contain a remote command injection vulnerability (CVE-2014-0112 and CVE-2014-0114).

Explanation

The target application uses Apache Struts [1] version 1.x (pre-1.3.10) or 2.x (pre-2.3.16), which contains a remote command injection vulnerability identified as CVE-2014-0112 and CVE-2014-0114. [2, 3, 4, 5] The vulnerability results from insufficient validation performed by the ParametersInterceptor, allowing access to the getClass() method through the class parameter. This can enable an attacker to manipulate the ClassLoader and execute arbitrary Java code using crafted action parameters.

References

[1] Apache Struts Apache Software Foundation

[2] CVE-2014-0112 Mitre

[3] CVE-2014-0114 Mitre

[4] S2-020 Apache Software Foundation

[5] S2-021 Apache Software Foundation

[6] Muñoz, A. Struts2 zero day in the wild HPE Security Fortify Software Security Research

[7] Standards Mapping - Common Weakness Enumeration CWE ID 470

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 SI

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A03 Injection

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.dynamic.xtended_preview.classloader_manipulation_struts