How to reproduce the security issue CVE-2014-0094. I googled but couldn't able to find any reference to the same.
Got it working.
I have to enable logging (for ognl package) to see the error.
Pass in parameter like class.classLoader.resource.dircontext.docBase=someText to the struts2 application.
localhost:8080/sampleApp/showlogin.do?class.classLoader.resource.diretext.docBase=someText
Then in the log I would see something like this.
java.lang.IllegalArgumentException: Document base base does not exist or is not a readable directory
at org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:136)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
After applying the workaround then I don't see above error in the log.
Reference:
http://www.brentron.com/safe/web/9248.html
http://isayan.cocolog-nifty.com/diary/2014/04/s2-020.html
To get a better help, I suggest you to follow the guidelines in the official Struts2 Security Bulletins.
The bug you are refering to has been reported in S2-020, and has both a workaround without upgrading, and a patch in Struts 2.3.16.1.
WARNING: the above patch is not enough, as reported in S2-021, so there are both a new workaround (for users that can't immediately upgrade) and a definitive patch in Struts 2.3.16.2.
To reproduce the issue just send
http://host/struts2-blank/example/X.action?class.classLoader
The issue is documented under S2-020.
Related
I'm trying to initialize local Hybris 2205.3 version and getting following error -
ERROR [hybrisHTTP27] [HacInitUpdateFacade] Failed to initialize
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized.
Using Oracle JDK 17.0.4.1. Initialization triggered from HAC.
I've tried adding following property to tomcat.generaloptions also which didn't help -
"-Djavax.xml.accessExternalSchema=all"
Any pointers to fix this? Or need more information?
It could be that one of the custom jar is older version and conflicting with oob. In one of our project we faced a similar issue and found that xerces.jar version in custom code was of lower version.
Both the jars I.e in oob and custom there was xmlconstant class but lower version jar used in custom code didn't have accessExternalSchema as class variable and was being picked up by system on startup because of conflict.
Oracle JDK not supported anymore, you need to try with SapMachine 17.0.
Whole system requirements by version is here.
We resolved the issue with Oracle JDK 17 only. We faced the same issue while upgrade from 2105 to 2211. This is due to jar dependency. We tried with the above given solution but it didn't work for us. We researched more and found the issue with dependency with xerces which caused conflict. We also found there is "xerces-2.12-orbeon' xerces-2.12-orbeon in OOTB. We did two things to resolve the issue
we updated classpath with xerces-2.12-orbeon( OOTB jar) in out custom code
We need to modify few code base as we were using xerces for Base64 encrytion and decryption for SSO
Please let me know if you have any questions, I will try my best to respond in time.
Regards,
Abhijit Das
Please find the link here:
https://answers.sap.com/questions/13781195/hybris-2211-upgradation-error.html?childToView=13818282
I upgraded struts2 to 2.3.32 with no problem, but I also depend on struts2-tiles-plugin-2.3.15.3.jar which I can't upgrade as easily. Is this a problem or is upgrading struts2-core enough to fix the issue?
No I think. At S2-046's workaround section I read:
Another option is to remove the File Upload Interceptor from the stack
Which means that vulnerability was inside core. However, struts2-tiles-plugin does not have dependency to core!
I'm using solr 5.2.1 with jetty.In my logs(solr.log) there's an error with
"org.apache.solr.core.CoreContainer; Error creating core [dosweb]: Could not load conf for core project : Error loading solr config from solrconfig.xml" title
,and I understand it's because of misconfigured in solr version,and it is showing me this exception:Caused by: java.lang.IllegalArgumentException: Illegal parameter 'termIndexInterval'
,what I should do to fix it.
thanks alot.
Not enough data.
It seems like your core is misconfigured for 5.2.1
I'd suggest that you try first with a reference configuration core, or a reference empty core, make sure that works, and then merge the config from the dosWeb core to the newly created core in steps.
This way you will find the part of the configuration that causes the issue.
EDIT -
After you added information (still not enough - a snippet of the offending configuration would have been good) I've been able to track down the bug that refers to the issue you get.
https://issues.apache.org/jira/browse/SOLR-6560
Essentially - the configuration for termIndexInterval is now not only deprecated, but can't be done in a standard way at all. From what I understand from the bug, It's also not needed anymore.
It appears to me that there is a bug in NioFileLocker.unlock() method (spring integration v4.1.4.RELEASE). Method clears up classloader level cache by calling FileChannelCache.closeChannelFor(fileToUnlock);, but it never tries to clean up its local lockCache.
Is this a bug, or I'm missing something? Tnx.
I've not looked at that code before, but it looks suspicious to me; please open a JIRA Issue.
Please also consider contributing a fix.
In UrlMappings.groovy, I have set "500"(controller:'error', action:'error') so that my own error controller (and view) is used.
It usually works, however when I tried tampering with the request input (submitting a parameter with 1MB size), I got a Tomcat generated error page with HTTP Status 500.
First I thought this error was only generated by Tomcat so that grails couldn't do anything about it, but the Exception is an org.springframework.web.util.NestedServletException (nested Exception java.lang.StackOverflowError) and there are many org.codehaus.groovy.grails packaged Classes in the stack trace.
I think showing this Exception including stack trace to potential attackers is dangerous, so how I can I configure grails to always show my own error page? Or is it only possible to configure that in Tomcat?
It's possible that this is a Grails bug. I found this Nabble thread which directed me to this JIRA issue. That issue was resolved, but in the comments Peter Ledbrook linked to a different JIRA issue that may or may not be your problem.
If that does look like what's happening for you, there's a workaround suggested in the comments, which can be found here. The bug itself is scheduled to be fixed in 1.4; the fix workaround above is targeted for 1.3
Agreeing with Rob Hruska, having stumbled across most of his links myself.
I, too, suspect that the grails-error-pages-fix plugin ought to fix the issue - as the grailsWebRequest servlet by default doesn't have a <dispatcher>ERROR</dispatcher> assigned in web.xml.
The technique used with this plugin basically does the same as the technique that I'd suggested in a previous post. (Nevertheless, my own testings, as can be seen by my comments there, haven't led to consistent findings yet.)
Finally, one thing that would work at any rate is to implement a custom servlet Filter.