IBM Support

IV61061: APACHE STRUTS 1.X ZERO DAY VULNERABILITY CVE-2014-0114

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Apache Struts 1.X could allow a remote attacker to execute
    arbitrary code on the system, caused by the failure to restrict
    the setting of Class Loader attributes. An attacker could
    exploit this vulnerability using the class parameter of an
    ActionForm object to manipulate the ClassLoader and execute
    arbitrary code on the system. There is partial impact to
    confidentiality, integrity, and availability.
    

Local fix

Problem summary

  • Code mitigation is in place for 7.0 Maintenance Release 5 Patch
    8 IF01
    

Problem conclusion

  • Code migitation was used to correct this vulnerability and the
    fix will be included in all future releases.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV61061

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-06-02

  • Closed date

    2014-06-03

  • Last modified date

    2014-06-03

  • APAR is sysrouted FROM one or more of the following:

    IV61039

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: IBM Security QRadar SIEM

Software version: 700

Reference #: IV61061

Modified date: 03 June 2014


Translate this page: