ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

The version of Apache Struts running on the remote host is 2.x prior to to 2.3.20. It, therefore, is affected by multiple class loader vulnerabilities:

  - A class loader vulnerability exists in ParametersInterceptor due to improper access restriction to the getClass     method. A remote, unauthenticated attacker can exploit this to manipulate the ClassLoader and execute arbitrary     code. (CVE-2014-0112)

  - A class loader vulnerability exists in CookieInterceptor due to improper access restriction to the getClass. A     remote, unauthenticated attacker can exploit this, via a specially crafted request which uses a wildcard cookiesName     value to manipulate the ClassLoader and execute arbitrary code. (CVE-2014-0113)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Oracle WebCenter Sites installed on the remote host is missing patches from the April 2015 CPU. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - ParametersInterceptor in Apache Struts does not properly     restrict access to the getClass method. A remote     attacker, using a crafted request, can exploit this to     manipulate the ClassLoader, thus allowing the execution     of arbitrary code. (CVE-2014-0112)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities :

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : 

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

The version of vCenter Operations Manager installed on the remote host is prior to 5.8.2. It is, therefore, affected by the following vulnerabilities :

  - An error exists in the included Apache Tomcat version     related to handling 'Content-Type' HTTP headers and     multipart requests such as file uploads that could     allow denial of service attacks. (CVE-2014-0050)

  - A security bypass error exists due to the included     Apache Struts2 component, allowing manipulation of the     ClassLoader via the 'class' parameter, which is directly     mapped to the getClass() method. A remote,     unauthenticated attacker can take advantage of this     issue to manipulate the ClassLoader used by the     application server, allowing for the bypass of certain     security restrictions. Note that CVE-2014-0112 exists     because CVE-2014-0094 was not a complete fix.
    (CVE-2014-0094, CVE-2014-0112)

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability, possibly due to an incomplete fix for ClassLoader manipulation implemented in version 2.3.16.1.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

ID	Name	Product	Family	Severity
117457	Apache Struts 2.x < 2.3.20 Multiple ClassLoader Manipulation Vulnerabilities (S2-021)	Nessus	Misc.	high
83469	Oracle WebCenter Sites Multiple Vulnerabilities (April 2015 CPU)	Nessus	Windows	high
83295	MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities	Nessus	CGI abuses	high
83293	MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities	Nessus	CGI abuses	high
76388	VMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007)	Nessus	Misc.	high
73763	Apache Struts 2 ClassLoader Manipulation Incomplete Fix for Security Bypass	Nessus	Denial of Service	high

Detections

Analytics

CVE-2014-0112

high

Tenable Plugins

high

high

high

high

high

high