Description
A zero-day security vulnerability in the ActionForms object in Struts 1.x allows remote attackers to manipulate the class loader. In some environments, this may allow attackers to execute arbitrary code.
While Liferay Portal utilizes Struts 1.x, Liferay Portal is *NOT* susceptible to this vulnerability because Liferay Portal does not uses Struts 1.x's ActionForm for any out of the box functionality. Plugin portlets authored by Liferay are also not vulnerable. However, sites using Liferay Portal may be vulnerable if:
- Custom Struts 1.x plugin portlets have been deployed to the environment AND
- The custom Struts 1.x plugin portlet uses ActionForm.
Liferay recommends a review of all custom plugins portlets. If you have a Struts plugin portlet and the portlet uses ActionForm, please considering taking appropriate actions, which may include:
- Increased monitoring
- Adding a filter to exclude parameters with "class" in the name (see this blog post from HP for working code you can add to your custom portlet's struts action servlet).
- Undeploying the plugin
More Information about this vulnerability.
Severity
Severity 1
Acknowledgments
This issue was reported by Tomas Polesovsky
Publication date: Wed, 07 May 2014 15:22:00 +0000