The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

The version of Apache Struts running on the remote host is 2.x prior to 2.3.16.2. It, therefore, is affected by multiple vulnerabilities:

  - A denial of service vulnerability exists in MultipartStrea.java in Apache Commons FileUpload due to failure to     handle exceptional conditions. A remote, unauthenticated attacker can exploit this issue to cause the application     to enter an infinite loop which may cause a denial of service condition. (CVE-2014-0050)

  - A class loader manipulation flaw exists in ParameterInterceptor due to improper validation of input data. An     attacker can exploit this issue to bypass certain security restriction and manipulate the ClassLoader.     (CVE-2015-0094)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists due to a flaw     in the bundled version of Apache HTTP Server. A remote     attacker can exploit this, via partial HTTP requests,     to cause a daemon outage, resulting in a denial of     service condition. (CVE-2007-6750)

  - An HTTP request smuggling vulnerability exists due to a     flaw in the bundled version of Apache Tomcat; when an     HTTP connector or AJP connector is used, Tomcat fails to     properly handle certain inconsistent HTTP request     headers. A remote attacker can exploit this flaw, via     multiple Content-Length headers or a Content-Length     header and a 'Transfer-Encoding: chunked' header, to     smuggle an HTTP request in one or more Content-Length     headers. (CVE-2013-4286)

  - A denial of service vulnerability exists in the bundled     version of Apache Tomcat due to improper processing of     chunked transfer coding with a large amount of chunked     data or whitespace characters in an HTTP header value     within a trailer field. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2013-4322)

  - A denial of service vulnerability exists due to a flaw     in the bundled version of Apache Tomcat; an integer     overflow condition exists in the parseChunkHeader()     function in ChunkedInputFilter.java. A remote attacker     can exploit this, via a malformed chunk size that is     part of a chunked request, to cause excessive     consumption of resources, resulting in a denial of     service condition. (CVE-2014-0075)

  - A remote code execution vulnerability exists due to a     flaw in the bundled version of Apache Struts. A remote     attacker can manipulate the ClassLoader via the class     parameter, resulting in the execution of arbitrary Java     code. (CVE-2014-0094)

  - An XML External Entity (XXE) injection vulnerability     exists due to a flaw in the bundled version of Apache     Tomcat; an incorrectly configured XML parser accepts     XML external entities from an untrusted source via XSLT.
    A remote attacker can exploit this, by sending specially     crafted XML data, to gain access to arbitrary files.
    (CVE-2014-0096)

  - An integer overflow condition exists in the bundled     version of Apache Tomcat. A remote attacker, via a     crafted Content-Length HTTP header, can conduct HTTP     request smuggling attacks. (CVE-2014-0099)

  - An information disclosure vulnerability exists due to a     flaw in the bundled version of Apache Tomcat. Tomcat     fails to properly constrain the class loader that     accesses the XML parser used with an XSLT stylesheet. A     remote attacker can exploit this, via a crafted web     application that provides an XML external entity     declaration in conjunction with an entity reference, to     read arbitrary files. (CVE-2014-0119)

  - A flaw exists in a bundled version of Samba due to a     flaw in the vfswrap_fsctl() function that is triggered     when responding to FSCTL_GET_SHADOW_COPY_DATA or     FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An     unauthenticated, remote attacker can exploit this, via     a specially crafted request, to disclose sensitive     information from process memory. (CVE-2014-0178)

  - Multiple flaws exist in the bundled version of Mozilla     Firefox that allow a remote attacker to execute     arbitrary code. (CVE-2014-1555, CVE-2014-1556,     CVE-2014-1557)

  - An information disclosure vulnerability exists due to     the chkauth password being saved in plaintext in the     audit log. A local attacker can exploit this to gain     administrator access. (CVE-2014-3077)

  - A denial of service vulnerability exists due to a flaw     in the bundled version of Samba. An authenticated,     remote attacker can exploit this, via an attempt to read     a Unicode pathname without specifying the use of     Unicode, to cause an application crash. (CVE-2014-3493)   
  - A security bypass vulnerability exists due to an     unspecified flaw. A remote attacker can exploit this     flaw to reset the administrator password to its default     value via a direct request to the administrative IP     address. Note that this vulnerability only affects the     1.4.x release levels. (CVE-2014-4811)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities :

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : 

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

The version of vCenter Operations Manager installed on the remote host is prior to 5.8.2. It is, therefore, affected by the following vulnerabilities :

  - An error exists in the included Apache Tomcat version     related to handling 'Content-Type' HTTP headers and     multipart requests such as file uploads that could     allow denial of service attacks. (CVE-2014-0050)

  - A security bypass error exists due to the included     Apache Struts2 component, allowing manipulation of the     ClassLoader via the 'class' parameter, which is directly     mapped to the getClass() method. A remote,     unauthenticated attacker can take advantage of this     issue to manipulate the ClassLoader used by the     application server, allowing for the bypass of certain     security restrictions. Note that CVE-2014-0112 exists     because CVE-2014-0094 was not a complete fix.
    (CVE-2014-0094, CVE-2014-0112)

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due to the application allowing manipulation of the ClassLoader via the 'class' parameter, which is directly mapped to the getClass() method. A remote, unauthenticated attacker can take advantage of this issue to manipulate the ClassLoader used by the application server, allowing for the bypass of certain security restrictions.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

Note also that the application may also be affected by a denial of service vulnerability; however, Nessus has not tested for this additional issue.

ID	Name	Product	Family	Severity
117393	Apache Struts 2.x < 2.3.16.2 Multiple Vulnerabilities (S2-020)	Nessus	Misc.	high
84401	IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities	Nessus	Misc.	high
83295	MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities	Nessus	CGI abuses	high
83293	MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities	Nessus	CGI abuses	high
76388	VMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007)	Nessus	Misc.	high
73203	Apache Struts 2 'class' Parameter ClassLoader Manipulation	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2014-0094

medium

Tenable Plugins

high

high

high

high

high

medium