You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Emi Lu <em...@encs.concordia.ca> on 2013/01/16 22:54:57 UTC
Java security issue vs. struts?
Hello,
Does someone know how this java security issue related to struts framework?
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Thanks a lot!
Emi
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Java security issue vs. struts?
Posted by Emi Lu <em...@encs.concordia.ca>.
>> Thank you Chris. Moreover, if I call jfreechart to generate reports through
>> web applications, it will not be affected, I believe?
>
> As long as you do not use Applets to output JFreechart data you should
> be fine (saying: if you generate images with JFreechart)
(1) My jsp:
<img src="jfreechart_reportProcessReport.action">
(2) struts.xml
<action name="jfreechart_reportProcessReport" method="jfreechart_report"
class="ProcessReport">
<result name="success" type="chart">
<param name="chart">chart</param>
<param name="width">1000</param>
<param name="height">500</param>
</result>
</action>
(3) My struts java action class (server side):
do:
ChartFactory.createBarChart3D(){... ...}
As a result, due to (1) ~(3) I am safe I believe.
Thanks a lot for all your comments!
Emi
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Java security issue vs. struts?
Posted by Christian Grobmeier <gr...@gmail.com>.
On Wed, Jan 16, 2013 at 11:12 PM, Emi Lu <em...@encs.concordia.ca> wrote:
> On 01/16/2013 05:02 PM, Chris Pratt wrote:
>>
>> I believe the description says it all.
>>
>> This Security Alert addresses security issues CVE-2013-0422 (US-CERT
>> Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability)
>> and another vulnerability affecting Java running in web browsers. *These
>> vulnerabilities are not applicable to Java running on servers,*
>> standalone Java desktop applications or embedded Java applications. They
>> also do not affect Oracle server-based software.
>>
> Thank you Chris. Moreover, if I call jfreechart to generate reports through
> web applications, it will not be affected, I believe?
As long as you do not use Applets to output JFreechart data you should
be fine (saying: if you generate images with JFreechart)
> Emi
>
>
>
>> On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu <emilu@encs.concordia.ca
>> <ma...@encs.concordia.ca>> wrote:
>>
>> Hello,
>>
>> Does someone know how this java security issue related to struts
>> framework?
>>
>>
>> http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html
>>
>>
>> <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
>>
>> Thanks a lot!
>> Emi
>>
>>
>> ------------------------------__------------------------------__---------
>> To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org
>> <ma...@struts.apache.org>
>>
>> For additional commands, e-mail: user-help@struts.apache.org
>> <ma...@struts.apache.org>
>>
>>
>
>
> --
> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
> emilu@encs.concordia.ca +1 514 848-2424 x5884
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>
> For additional commands, e-mail: user-help@struts.apache.org
>
--
http://www.grobmeier.de
https://www.timeandbill.de
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Java security issue vs. struts?
Posted by Martin Gainty <mg...@hotmail.com>.
1)The open access created via OGNL expression request to Context is a minor breach..contact Dave or Lukasz for solution
(at least one of them will plug the hole)
2)If you're a security guy (or gal) start subscribing to CVE bulletins
Oracle *usually* addresses these issues right away and you can read about the latest vulnerability and ways to mitigate the breach
at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Bon Chance,Martin > Date: Fri, 18 Jan 2013 12:21:28 -0500
> From: emilu@encs.concordia.ca
> To: user@struts.apache.org
> CC: mgainty@hotmail.com; thechrispratt@gmail.com
> Subject: Re: Java security issue vs. struts?
>
> Hello Martin,
>
> I did not find bug report under struts JIRA related to jfreechart.
>
> More details about how I use jfreechart:
> (1) jsp <img src=".action">
> (2) JAVA Action class, generated jsp
> (3) struts.xml specify img size
>
> Hope this info will help others have the same concern :-)
>
> Bon week-end!
> Emi
>
>
> On 01/16/2013 05:39 PM, Martin Gainty wrote:
> >
> > Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL
> > (but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance,
> > Martin
> > ______________________________________________
> > Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> >
>
>
> -------- Original Message --------
> Subject: Re: Java security issue vs. struts?
> Date: Fri, 18 Jan 2013 12:00:31 -0500
> From: Emi Lu <em...@encs.concordia.ca>
> Reply-To: emilu@encs.concordia.ca
> To: Christian Grobmeier <gr...@gmail.com>
> CC: Struts Users Mailing List <us...@struts.apache.org>, Chris Pratt
> <th...@gmail.com>
>
> >> Thank you Chris. Moreover, if I call jfreechart to generate reports through
> >> web applications, it will not be affected, I believe?
> >
> > As long as you do not use Applets to output JFreechart data you should
> > be fine (saying: if you generate images with JFreechart)
>
> (1) My jsp:
> <img src="jfreechart_reportProcessReport.action">
>
> (2) struts.xml
>
> <action name="jfreechart_reportProcessReport" method="jfreechart_report"
> class="ProcessReport">
> <result name="success" type="chart">
> <param name="chart">chart</param>
> <param name="width">1000</param>
> <param name="height">500</param>
> </result>
> </action>
>
>
> (3) My struts java action class (server side):
>
> do:
> ChartFactory.createBarChart3D(){... ...}
>
>
> As a result, due to (1) ~(3) I am safe I believe.
>
> Thanks a lot for all your comments!
> Emi
>
>
>
> >>> <ma...@struts.apache.org>
> >>> For additional commands, e-mail: user-help@struts.apache.org
> >>> <ma...@struts.apache.org>
> >>>
> >>>
> >>
> >>
> >> --
> >> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
> >> emilu@encs.concordia.ca +1 514 848-2424 x5884
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: user-help@struts.apache.org
> >>
> >
> >
>
>
> --
> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
> emilu@encs.concordia.ca +1 514 848-2424 x5884
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
Re: Java security issue vs. struts?
Posted by Emi Lu <em...@encs.concordia.ca>.
Hello Martin,
I did not find bug report under struts JIRA related to jfreechart.
More details about how I use jfreechart:
(1) jsp <img src=".action">
(2) JAVA Action class, generated jsp
(3) struts.xml specify img size
Hope this info will help others have the same concern :-)
Bon week-end!
Emi
On 01/16/2013 05:39 PM, Martin Gainty wrote:
>
> Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL
> (but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance,
> Martin
> ______________________________________________
> Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
>
-------- Original Message --------
Subject: Re: Java security issue vs. struts?
Date: Fri, 18 Jan 2013 12:00:31 -0500
From: Emi Lu <em...@encs.concordia.ca>
Reply-To: emilu@encs.concordia.ca
To: Christian Grobmeier <gr...@gmail.com>
CC: Struts Users Mailing List <us...@struts.apache.org>, Chris Pratt
<th...@gmail.com>
>> Thank you Chris. Moreover, if I call jfreechart to generate reports through
>> web applications, it will not be affected, I believe?
>
> As long as you do not use Applets to output JFreechart data you should
> be fine (saying: if you generate images with JFreechart)
(1) My jsp:
<img src="jfreechart_reportProcessReport.action">
(2) struts.xml
<action name="jfreechart_reportProcessReport" method="jfreechart_report"
class="ProcessReport">
<result name="success" type="chart">
<param name="chart">chart</param>
<param name="width">1000</param>
<param name="height">500</param>
</result>
</action>
(3) My struts java action class (server side):
do:
ChartFactory.createBarChart3D(){... ...}
As a result, due to (1) ~(3) I am safe I believe.
Thanks a lot for all your comments!
Emi
>>> <ma...@struts.apache.org>
>>> For additional commands, e-mail: user-help@struts.apache.org
>>> <ma...@struts.apache.org>
>>>
>>>
>>
>>
>> --
>> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
>> emilu@encs.concordia.ca +1 514 848-2424 x5884
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
>
--
Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
emilu@encs.concordia.ca +1 514 848-2424 x5884
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Java security issue vs. struts?
Posted by Martin Gainty <mg...@hotmail.com>.
Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL
(but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance,
Martin
______________________________________________
Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Wed, 16 Jan 2013 17:12:13 -0500
> From: emilu@encs.concordia.ca
> To: thechrispratt@gmail.com
> CC: user@struts.apache.org
> Subject: Re: Java security issue vs. struts?
>
> On 01/16/2013 05:02 PM, Chris Pratt wrote:
> > I believe the description says it all.
> >
> > This Security Alert addresses security issues CVE-2013-0422 (US-CERT
> > Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability)
> > and another vulnerability affecting Java running in web browsers. *These
> > vulnerabilities are not applicable to Java running on servers,*
> > standalone Java desktop applications or embedded Java applications. They
> > also do not affect Oracle server-based software.
> >
> Thank you Chris. Moreover, if I call jfreechart to generate reports
> through web applications, it will not be affected, I believe?
>
> Emi
>
>
>
> > On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu <emilu@encs.concordia.ca
> > <ma...@encs.concordia.ca>> wrote:
> >
> > Hello,
> >
> > Does someone know how this java security issue related to struts
> > framework?
> >
> > http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html
> > <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
> >
> > Thanks a lot!
> > Emi
> >
> > ------------------------------__------------------------------__---------
> > To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org
> > <ma...@struts.apache.org>
> > For additional commands, e-mail: user-help@struts.apache.org
> > <ma...@struts.apache.org>
> >
> >
>
>
> --
> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
> emilu@encs.concordia.ca +1 514 848-2424 x5884
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
Re: Java security issue vs. struts?
Posted by Emi Lu <em...@encs.concordia.ca>.
On 01/16/2013 05:02 PM, Chris Pratt wrote:
> I believe the description says it all.
>
> This Security Alert addresses security issues CVE-2013-0422 (US-CERT
> Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability)
> and another vulnerability affecting Java running in web browsers. *These
> vulnerabilities are not applicable to Java running on servers,*
> standalone Java desktop applications or embedded Java applications. They
> also do not affect Oracle server-based software.
>
Thank you Chris. Moreover, if I call jfreechart to generate reports
through web applications, it will not be affected, I believe?
Emi
> On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu <emilu@encs.concordia.ca
> <ma...@encs.concordia.ca>> wrote:
>
> Hello,
>
> Does someone know how this java security issue related to struts
> framework?
>
> http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html
> <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
>
> Thanks a lot!
> Emi
>
> ------------------------------__------------------------------__---------
> To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org
> <ma...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
> <ma...@struts.apache.org>
>
>
--
Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
emilu@encs.concordia.ca +1 514 848-2424 x5884
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Java security issue vs. struts?
Posted by Chris Pratt <th...@gmail.com>.
I believe the description says it all.
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert
TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and
another vulnerability affecting Java running in web browsers. *These
vulnerabilities are not applicable to Java running on servers,* standalone
Java desktop applications or embedded Java applications. They also do not
affect Oracle server-based software.
On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu <em...@encs.concordia.ca> wrote:
> Hello,
>
> Does someone know how this java security issue related to struts framework?
>
> http://www.oracle.com/**technetwork/topics/security/**
> alert-cve-2013-0422-1896849.**html<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
>
> Thanks a lot!
> Emi
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Java security issue vs. struts?
Posted by Dave Newton <da...@gmail.com>.
...
Where does Struts 2 run? In the browser, or on a server?
Dave
On Wed, Jan 16, 2013 at 5:06 PM, Emi Lu <em...@encs.concordia.ca> wrote:
> On 01/16/2013 04:54 PM, Emi Lu wrote:
>
>> Hello,
>>
>> Does someone know how this java security issue related to struts
>> framework?
>>
>> http://www.oracle.com/**technetwork/topics/security/**
>> alert-cve-2013-0422-1896849.**html<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
>>
>
> One more link:
> http://nakedsecurity.sophos.**com/2013/01/15/disable-java-**
> browsers-homeland-security/<http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/>
>
> For example, would struts2-jfreechart considered as java-app run through
> web browser?
>
> Emi
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: user-unsubscribe@struts.**apache.org<us...@struts.apache.org>
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
Re: Java security issue vs. struts?
Posted by Emi Lu <em...@encs.concordia.ca>.
On 01/16/2013 04:54 PM, Emi Lu wrote:
> Hello,
>
> Does someone know how this java security issue related to struts framework?
>
> http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
One more link:
http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/
For example, would struts2-jfreechart considered as java-app run through
web browser?
Emi
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org