The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to “manipulate” the ClassLoader via the class parameter, which is passed to the getClass method. (CVE-2014-0094)
Impact
None. F5 products do not use the affected Apache Struts version.