You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Martin Gainty <mg...@hotmail.com> on 2017/09/20 11:56:47 UTC
Re: Which Struts Version to implement (with Patch for Equifax)
David:
the recommended hardened version for financial services industry is Struts 2.5.10.1..here is why:
"If you are using Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1," Apache says in a March 6 security alert. "You can also switch to a different implementation of the Multipart parser."
https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761
[https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/apache-struts-2-under-zero-day-attack-update-now-showcase_image-9-a-9761.jpg]<https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761>
Apache Struts 2 Under Zero-Day Attack, Update Now<https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761>
www.bankinfosecurity.com
Apache Struts 2 users are being warned to upgrade immediately, after attackers began targeting a zero-day flaw in the widely used, open source Java EE platform.
David and Lukasz please confirm
Martin
______________________________________________
________________________________
From: David Greene <da...@securelink.com>
Sent: Tuesday, September 19, 2017 9:43 AM
To: Struts Users Mailing List
Subject: Re: Which Struts Version To Use?
Just from my personal experience, migrating from 2.3.x to 2.5.x was a very
small development task. I was actually surprised at how few changes were
required. As someone else mentioned, a little bit of regex to weed out the
now-unused tag arguments was probably the 'hardest' part. I would
recommend just biting the (small) bullet and going with 2.5.x if Java 1.6
isn't required in your environment.
-David
On Tue, Sep 19, 2017 at 1:11 AM, Lukasz Lenart <lu...@apache.org>
wrote:
> Bruce
>
> Struts 2.5.x is not only due to build on JDK7, also there were few
> important architectural changes which may be backward incompatible in
> some cases. Also 2.5.x brings more new features and improvements that
> also at some point can break backward comaptibility. 2.5.x is a good
> choice when you start a new development project or you need a ned
> feature which is available in 2.5.x only.
>
> That's why I keep 2.3.x branch just to port security fixes and allow
> easier transition to 2.5.x (or 2.6.x soon). There is no exact plans
> how long 2.3.x will be around, I do plan switch to JDK7 (lack of tools
> to support build on JDK6) and then 2.3.x will be branded as 2.4.x but
> still with the same scope - only security fixes. So 2.3.x/2.4.x will
> stay with us for longer :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
Łukasz Lenart - strona domowa<http://www.lenart.org.pl/>
www.lenart.org.pl
oto ja aplikacje. pierwszy program napisałem w wieku 15. lat na Commodore VIC-20, dla przyjemności, nie dla pieniędzy i ciągle tak jest - przyjemność ...
>
> PS. Please remember that Struts doesn't follow strict semantic
> versioning, "2" means "Struts 2" so Struts 2.5.x is "Struts 2 version
> 5.x" where Struts 2.3.x means "Struts 2 version 3.x" :)
>
> 2017-09-18 21:29 GMT+02:00 bruceaphillips@gmail.com <
> bruceaphillips@gmail.com>:
> > Thank you for the reply.
> >
> > I still don't understand why there are two active branches, especially
> since JDK7 was EOL some time ago.
> >
> > If the 2.3.X line is going to be ended soon and the 2.5.X line is the
> future then I'd like to get our Struts apps on 2.5.X
> >
> > But if 2.3.X is going to be maintained for the next 1-2 years then I'd
> feel comfortable updating to 2.3.X
> >
> > Another consideration is that all our newer web apps use Spring MVC and
> do not use Struts 2. We only have some legacy web apps that still use
> Struts 2. If the time commitment in converting from Struts 2.3.X to 2.5.X
> is high then we might as well just convert those apps to Spring MVC.
> >
> > It would be great if the Struts 2 PMC would publicly state what the
> future plan is for Struts 2 or if there is already a published plan please
> let know.
> >
> > Bruce
> >
> > On 2017-09-18 10:15, "Jason D. Burkert" <ja...@craytek.com>
> wrote:
> >> On 2017-09-18 11:05 AM, Phillips, Bruce A wrote:
> >> > We still have a couple of web apps that are using Struts version
> 2.3.32
> >> >
> >> > We want to update those web apps to the latest version of Struts but
> I’m not sure what version to update to.
> >> >
> >> > I see a 2.5.13 and a 2.3.34 – both tags seem to be recently created.
> >> >
> >> > Should I update to 2.5.13 or should I stay on the 2.3.X line?
> >> >
> >> > Why are there different production tags (2.5.X and 2.3.X) ?
> >> >
> >> > Thank You,
> >> >
> >> > Bruce Phillips
> >> >
> >>
> >> Hello Bruce,
> >>
> >> If you have existing web apps using 2.3.32 it would be easiest to update
> >> to 2.3.34 for the latest security updates.
> >>
> >> In the future, to use the 2.5.x series, you'll need to perform some
> >> migration steps. Review the Version Notes for 2.5 to get started,
> >> especially "Internal Changes" and "Package names have changed".
> >> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5
Version Notes 2.5 - Apache Software Foundation<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5>
cwiki.apache.org
These are the notes for the Struts 2.5 distribution. For prior notes in this release series, see Version Notes 2.3.28.1. If you are a Maven user, you might want to ...
> >>
> >> As to why there are both 2.3.x series and 2.5.x series releases, my
> >> understanding is that one significant reason is "Struts2 is now build
> >> with JDK7" as of the first 2.5 release.
> >>
> >> -Jason
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Which Struts Version to implement (with Patch for Equifax)
Posted by Lukasz Lenart <lu...@apache.org>.
Just to clarify one thing: this was not a zero-day vulnerability [1] but it
sounds better for journalists :\
[1] https://en.wikipedia.org/wiki/Zero-day_(computing)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2017-09-20 13:56 GMT+02:00 Martin Gainty <mg...@hotmail.com>:
> David:
>
> the recommended hardened version for financial services industry is
> Struts 2.5.10.1..here is why:
>
>
> "If you are using Jakarta-based file upload Multipart parser, upgrade to
> Apache Struts version 2.3.32 or 2.5.10.1," Apache says in a March 6
> security alert. "You can also switch to a different implementation of the
> Multipart parser."
>
> https://www.bankinfosecurity.com/apache-struts-2-under-
> zero-day-attack-update-now-a-9761
>
> <https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761>
> Apache Struts 2 Under Zero-Day Attack, Update Now
> <https://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761>
> www.bankinfosecurity.com
> Apache Struts 2 users are being warned to upgrade immediately, after
> attackers began targeting a zero-day flaw in the widely used, open source
> Java EE platform.
>
> David and Lukasz please confirm
> Martin
> ______________________________________________
>
>
>
>
> ------------------------------
> *From:* David Greene <da...@securelink.com>
> *Sent:* Tuesday, September 19, 2017 9:43 AM
> *To:* Struts Users Mailing List
> *Subject:* Re: Which Struts Version To Use?
>
> Just from my personal experience, migrating from 2.3.x to 2.5.x was a very
> small development task. I was actually surprised at how few changes were
> required. As someone else mentioned, a little bit of regex to weed out the
> now-unused tag arguments was probably the 'hardest' part. I would
> recommend just biting the (small) bullet and going with 2.5.x if Java 1.6
> isn't required in your environment.
>
> -David
>
>
> On Tue, Sep 19, 2017 at 1:11 AM, Lukasz Lenart <lu...@apache.org>
> wrote:
>
> > Bruce
> >
> > Struts 2.5.x is not only due to build on JDK7, also there were few
> > important architectural changes which may be backward incompatible in
> > some cases. Also 2.5.x brings more new features and improvements that
> > also at some point can break backward comaptibility. 2.5.x is a good
> > choice when you start a new development project or you need a ned
> > feature which is available in 2.5.x only.
> >
> > That's why I keep 2.3.x branch just to port security fixes and allow
> > easier transition to 2.5.x (or 2.6.x soon). There is no exact plans
> > how long 2.3.x will be around, I do plan switch to JDK7 (lack of tools
> > to support build on JDK6) and then 2.3.x will be branded as 2.4.x but
> > still with the same scope - only security fixes. So 2.3.x/2.4.x will
> > stay with us for longer :)
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 <606%20323%20122> http://www.lenart.org.pl/
> Łukasz Lenart - strona domowa <http://www.lenart.org.pl/>
> www.lenart.org.pl
> oto ja aplikacje. pierwszy program napisałem w wieku 15. lat na Commodore
> VIC-20, dla przyjemności, nie dla pieniędzy i ciągle tak jest - przyjemność
> ...
>
>
> >
> > PS. Please remember that Struts doesn't follow strict semantic
> > versioning, "2" means "Struts 2" so Struts 2.5.x is "Struts 2 version
> > 5.x" where Struts 2.3.x means "Struts 2 version 3.x" :)
> >
> > 2017-09-18 21:29 GMT+02:00 bruceaphillips@gmail.com <
> > bruceaphillips@gmail.com>:
> > > Thank you for the reply.
> > >
> > > I still don't understand why there are two active branches, especially
> > since JDK7 was EOL some time ago.
> > >
> > > If the 2.3.X line is going to be ended soon and the 2.5.X line is the
> > future then I'd like to get our Struts apps on 2.5.X
> > >
> > > But if 2.3.X is going to be maintained for the next 1-2 years then I'd
> > feel comfortable updating to 2.3.X
> > >
> > > Another consideration is that all our newer web apps use Spring MVC and
> > do not use Struts 2. We only have some legacy web apps that still use
> > Struts 2. If the time commitment in converting from Struts 2.3.X to
> 2.5.X
> > is high then we might as well just convert those apps to Spring MVC.
> > >
> > > It would be great if the Struts 2 PMC would publicly state what the
> > future plan is for Struts 2 or if there is already a published plan
> please
> > let know.
> > >
> > > Bruce
> > >
> > > On 2017-09-18 10:15, "Jason D. Burkert" <ja...@craytek.com>
> > wrote:
> > >> On 2017-09-18 11:05 AM, Phillips, Bruce A wrote:
> > >> > We still have a couple of web apps that are using Struts version
> > 2.3.32
> > >> >
> > >> > We want to update those web apps to the latest version of Struts but
> > I’m not sure what version to update to.
> > >> >
> > >> > I see a 2.5.13 and a 2.3.34 – both tags seem to be recently created.
> > >> >
> > >> > Should I update to 2.5.13 or should I stay on the 2.3.X line?
> > >> >
> > >> > Why are there different production tags (2.5.X and 2.3.X) ?
> > >> >
> > >> > Thank You,
> > >> >
> > >> > Bruce Phillips
> > >> >
> > >>
> > >> Hello Bruce,
> > >>
> > >> If you have existing web apps using 2.3.32 it would be easiest to
> update
> > >> to 2.3.34 for the latest security updates.
> > >>
> > >> In the future, to use the 2.5.x series, you'll need to perform some
> > >> migration steps. Review the Version Notes for 2.5 to get started,
> > >> especially "Internal Changes" and "Package names have changed".
> > >> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5
> Version Notes 2.5 - Apache Software Foundation
> <https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5>
> cwiki.apache.org
> These are the notes for the Struts 2.5 distribution. For prior notes in
> this release series, see Version Notes 2.3.28.1. If you are a Maven user,
> you might want to ...
>
>
> > >>
> > >> As to why there are both 2.3.x series and 2.5.x series releases, my
> > >> understanding is that one significant reason is "Struts2 is now build
> > >> with JDK7" as of the first 2.5 release.
> > >>
> > >> -Jason
> > >>
> > >>
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>