Impact: Moderate Public Date: 2019-10-02 CWE: CWE-470 Bugzilla: 1677721: CVE-2019-3834 JON: struts1 reversion of fix for CVE-2014-0114 It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3.
Find out more about CVE-2019-3834 from the MITRE CVE dictionary dictionary and NIST NVD.
While the original flaw, CVE-2014-0114, was resolved as a precaution in JON 3.2.1, later further research revealed that JON did not expose the properties in an exploitable way, and was not vulnerable.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.6 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Operations Network 3 | struts1 | Not affected |
Vulmon