Apache Struts 2 ClassLoader manipulation and denial of service

Description
  • The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.

    The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName param).

    This vulnerability also affects Apache Struts 1 versions 1.x (<= 1.3.10).
Remediation
  • Upgrade to Struts 2.3.16.2.
References