You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by David Dillard <Da...@veritas.com> on 2018/11/04 17:40:03 UTC

Question Regarding Recent Security Announcement

Hi,

An email<http://mail-archives.apache.org/mod_mbox/www-announce/201811.mbox/%3cCAMopvkMgZiJ+ZkT1HmkQt94q7-bzNWnZm0Td9vq589vz5YM=Mw@mail.gmail.com%3e> was recently sent to the Apache Announcements list suggesting that users update to Apache Struts 2.3.36 in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.  I have a few questions about this:


  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  What's recommended doesn't seem to accomplish what the email states it will.
  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven repository since Struts 2.3.30, which was released back in July 2016.
  3.  This makes sense since the last documented DoS vulnerability in Fileupload was fixed in 1.3.2.

So, given all of this, can someone explain why this recommendation was made and why now since the noted issues to have been resolved for a couple of years?


Thanks,

David

RE: Question Regarding Recent Security Announcement

Posted by Yasser Zamani <ya...@apache.org>.

Hi David,

That was a typo which already has fixed and re-announced. We meant 1.3.3. Thanks for your email.

Regards.

>-----Original Message-----
>From: David Dillard <Da...@veritas.com>
>Sent: Sunday, November 4, 2018 9:10 PM
>To: user@struts.apache.org
>Subject: Question Regarding Recent Security Announcement
>
>Hi,
>
>An email<http://mail-archives.apache.org/mod_mbox/www-
>announce/201811.mbox/%3cCAMopvkMgZiJ+ZkT1HmkQt94q7-
>bzNWnZm0Td9vq589vz5YM=Mw@mail.gmail.com%3e> was recently sent to the
>Apache Announcements list suggesting that users update to Apache Struts 2.3.36
>in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.  I
>have a few questions about this:
>
>
>  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be
>used<https://mvnrepository.com/artifact/org.apache.struts/struts2-
>core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  What's
>recommended doesn't seem to accomplish what the email states it will.
>  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven
>repository since Struts 2.3.30, which was released back in July 2016.
>  3.  This makes sense since the last documented DoS vulnerability in Fileupload
>was fixed in 1.3.2.
>
>So, given all of this, can someone explain why this recommendation was made
>and why now since the noted issues to have been resolved for a couple of years?
>
>
>Thanks,
>
>David


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [EXTERNAL] Re: Question Regarding Recent Security Announcement

Posted by Lukasz Lenart <lu...@apache.org>.

pon., 5 lis 2018 o 13:33 David Dillard <Da...@veritas.com> napisał(a):
>
> Ok, that addresses one question, but still leaves one: why is it being recommended to update File Upload NOW due to a possible DoS, when Struts has been using a version of File Upload with no documented DoS issue for the last six releases???

> Or put another way, Struts 2.3.35 uses File Upload 1.3.2.  File Upload 1.3.2 currently has no documented DoS issue.  Now, you're saying to update to File Upload 1.3.3 to fix a DoS issue.  Why?

We announced the same few months ago [1] and there was just one
release (Struts 2.3.35) that missed the thing [2]. And we won't be
releasing a new version just because some of dependencies was
discovered to be vulnerable. And yes, we missed that the Struts 2.3.35
and Struts 2.3.36 are using vulnerable library.

There is a known vulnerability that affects 1.3.2 and prior versions
of commons-fileupload [3]. It's a RCE attack not a DoS.

[1] https://struts.apache.org/announce.html#a20180323
[2] https://struts.apache.org/releases.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

RE: [EXTERNAL] Re: Question Regarding Recent Security Announcement

Posted by David Dillard <Da...@veritas.com>.

Ok, that addresses one question, but still leaves one: why is it being recommended to update File Upload NOW due to a possible DoS, when Struts has been using a version of File Upload with no documented DoS issue for the last six releases???

Or put another way, Struts 2.3.35 uses File Upload 1.3.2.  File Upload 1.3.2 currently has no documented DoS issue.  Now, you're saying to update to File Upload 1.3.3 to fix a DoS issue.  Why?

-----Original Message-----
From: Lukasz Lenart <lu...@apache.org> 
Sent: Monday, November 5, 2018 2:16 AM
To: Struts Users Mailing List <us...@struts.apache.org>
Subject: [EXTERNAL] Re: Question Regarding Recent Security Announcement

niedz., 4 lis 2018 o 18:40 David Dillard <Da...@veritas.com> napisał(a):
>   1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  What's recommended doesn't seem to accomplish what the email states it will.

We have overlooked that when we were preparing Struts 2.3.36, this is an easy drop-in dependency.

>   2.  The recommendation for Fileupload 1.3.2 can be found in the Maven repository since Struts 2.3.30, which was released back in July 2016.
>   3.  This makes sense since the last documented DoS vulnerability in Fileupload was fixed in 1.3.2.

Here is the original announcement
https://struts.apache.org/announce.html#a20180323

Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Question Regarding Recent Security Announcement

Posted by Lukasz Lenart <lu...@apache.org>.

niedz., 4 lis 2018 o 18:40 David Dillard <Da...@veritas.com> napisał(a):
>   1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be used<https://mvnrepository.com/artifact/org.apache.struts/struts2-core/2.3.36>, not 1.3.3, so I'm confused about what's stated in the email.  What's recommended doesn't seem to accomplish what the email states it will.

We have overlooked that when we were preparing Struts 2.3.36, this is
an easy drop-in dependency.

>   2.  The recommendation for Fileupload 1.3.2 can be found in the Maven repository since Struts 2.3.30, which was released back in July 2016.
>   3.  This makes sense since the last documented DoS vulnerability in Fileupload was fixed in 1.3.2.

Here is the original announcement
https://struts.apache.org/announce.html#a20180323


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org