Apache Struts 2 ClassLoader manipulation and denial of service
Description
Apache Struts 2 contains multiple critical vulnerabilities that allow attackers to manipulate the Java ClassLoader and cause denial of service conditions. The ParametersInterceptor component improperly allows access to the 'class' parameter, which directly maps to the getClass() method, enabling ClassLoader manipulation. Additionally, the default file upload mechanism uses a vulnerable version of Commons FileUpload (1.3) that is susceptible to DoS attacks. The parameter exclusion pattern introduced in version 2.3.16.1 to prevent getClass() access can be bypassed using specially crafted requests. When CookieInterceptor is configured to accept all cookies (using the "*" wildcard for cookiesName parameter), it is also vulnerable to the same attack vector. This vulnerability affects Apache Struts 2 versions prior to 2.3.20 and Apache Struts 1 versions 1.x through 1.3.10.
Remediation
Immediately upgrade to Apache Struts 2.3.20 or later, which addresses these vulnerabilities with improved parameter filtering and updated dependencies. Follow these steps to remediate:
1. Upgrade Struts Framework: Update your application's dependencies to use Apache Struts 2.3.20 or the latest stable version.
2. Review Parameter Interceptor Configuration: Ensure that your struts.xml configuration explicitly excludes dangerous parameters:
<interceptor-ref name="params"> <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> </interceptor-ref>
3. Configure CookieInterceptor Safely: If using CookieInterceptor, explicitly whitelist allowed cookie names instead of using the "*" wildcard pattern.
4. Test Thoroughly: After upgrading, perform comprehensive testing to ensure application functionality is maintained and the vulnerability is resolved.
5. For Struts 1 Users: Since Struts 1 has reached end-of-life, plan migration to a supported framework such as Struts 2 (latest version) or alternative modern web frameworks.