LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

Synopsis:          Important: struts security update
Advisory ID:       SLSA-2014:0474-1
Issue Date:        2014-05-07
CVE Numbers:       CVE-2014-0114
--

It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)

All running applications using struts must be restarted for this update to
take effect.
--

SL5
  x86_64
    struts-1.2.9-4jpp.8.el5_10.x86_64.rpm
    struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm
    struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm
    struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm
    struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm
  i386
    struts-1.2.9-4jpp.8.el5_10.i386.rpm
    struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm
    struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm
    struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm
    struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm

- Scientific Linux Development Team