Apache Struts 2 ClassLoader manipulation and denial of service (S2-020)
Description
Apache Struts 2 contains two critical vulnerabilities: a denial of service flaw in the Commons FileUpload library (version 1.3) used by the default upload mechanism, and a ClassLoader manipulation vulnerability through the ParametersInterceptor. The interceptor improperly allows access to the 'class' parameter, which directly maps to the getClass() method, enabling attackers to manipulate the Java ClassLoader and gain unauthorized access to application internals.
Remediation
Immediately upgrade to Apache Struts version 2.3.16.2 or later, which addresses both CVE-2014-0094 (ClassLoader manipulation) and CVE-2014-0050 (Commons FileUpload DoS). Follow these steps:
1. Update the Struts dependency in your project build file (pom.xml for Maven or build.gradle for Gradle) to version 2.3.16.2 or higher
2. Test the application thoroughly in a staging environment to ensure compatibility
3. Deploy the updated version to production
4. If immediate upgrade is not possible, implement a servlet filter to block requests containing 'class.' parameters as a temporary mitigation, though upgrading remains the only complete solution