Emerging Threat: Apache Struts Zero-Day (CVE-2014-0050, 0094) DoS and Remote Code Execution Vulnerability
EXECUTIVE SUMMARY:
On April 24, 2014, the Apache Software Foundation (ASF) (http://www.apache.org) released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability, which may result in Remote Code Execution via ClassLoader manipulation (CVE-2014-0094), or DoS attacks (CVE-2014-0050).
[Apache] Struts is an extensible framework used for creating enterprise Java Web applications.
According to Apache, in Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved [on March 2]. Unfortunately, the correction (Apache Struts Security Bulletin S2-020) was not sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible [likely within 72 hours as per the Apache Struts team].
Once the release is available, all [Apache] Struts 2 users are strongly recommended to update their installations.