ROSA Linux Bugzilla – Bug 4035
Update struts packages to fix this security vulnerability
Last modified: 2015-05-28 00:40:19 MSD
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader
used by an application server running Struts 1. This could lead to
remote code execution under certain conditions (CVE-2014-0114).
Need restesting before releasing Enterprise X2.
Struts was not really used in Marathon, was moved to contrib repositort in Fresh and was removed from RED X2. But the version in our repositories is still subjected to this vulnerability.
So let's recategorize this bug.
A fix for CVE-2014-0114 has been backported to our struts.