Wed, 07 May 2014 15:22:00 +0000
LPS-46552 - Struts 1 Classloader manipulation
A zero-day security vulnerability in the ActionForms object in Struts 1.x allows remote attackers to manipulate the class loader. In some environments, this may allow attackers to execute arbitrary code.
While Liferay Portal utilizes Struts 1.x, Liferay Portal is *NOT* susceptible to this vulnerability because Liferay Portal does not uses Struts 1.x's ActionForm for any out of the box functionality. Plugin portlets authored by Liferay are also not vulnerable. However, sites using Liferay Portal may be vulnerable if:
- Custom Struts 1.x plugin portlets have been deployed to the environment AND
- The custom Struts 1.x plugin portlet uses ActionForm.
Liferay recommends a review of all custom plugins portlets. If you have a Struts plugin portlet and the portlet uses ActionForm, please considering taking appropriate actions, which may include:
- Increased monitoring
- Adding a filter to exclude parameters with "class" in the name (see this blog post from HP for working code you can add to your custom portlet's struts action servlet).
- Undeploying the plugin
Please see this blog post from HP on a convenient workaround.
Issue LinksNote that some or all of these may not yet be accessible. The CST remains committed to full disclosure of all security issues once fully resolved.
See the Community Security Team Process page for details on working with source and binary patches.
Binary Patch Links
Note: The below links point to a download page which contains multiple binary patches with the following naming scheme:
<patch-version>.zip. Be sure to use the latest patch for your Liferay release!
Note: Binary patches only apply to the release with which this issue is associated. Applying a binary patch to any other release will probably result in a broken install!
- TBA (To Be Announced)
Source Patch Links
Note that source patches only apply to the release with which this issue is associated. Applying a source patch to any other release will probably result in a broken install! For Github URLs suffixed with
.patch, removing this suffix will yield a graphical view of the patch
This issue was discovered and reported by Tomas Polesovsky