You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by William Stranathan <wi...@thestranathans.com> on 2017/09/06 04:22:31 UTC
Struts 2.3 fix for s2-052?
Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3
patch available yet. I've tried with the latest snapshots, and those are
also vulnerable.
Is there a fix for this vulnerability on the 2.3 stream forthcoming?
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
Ah.. right, I forgot about that
2017-09-06 13:11 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> And yes, it looks like the Jenkins builds have been failing for quite some
> time:
> https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console
> (that
> error message is not too dissimilar from the one I get with JDK 7 in the
> same module).
>
> On Wed, Sep 6, 2017 at 7:04 AM William Stranathan <wi...@thestranathans.com>
> wrote:
>
>> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
>> 2.3.34 snapshot of the rest-plugin dated August 12.
>>
>> I just did a build of only the bits needed to get the rest-showcase
>> running (so mvn install, when that fails, mvn install -f
>> plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with
>> the correct permission message.
>>
>> On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart <lu...@apache.org>
>> wrote:
>>
>>> 2017-09-06 12:31 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
>>> > Odd - when I tested the snapshots, they were still vulnerable. I'm not
>>> able
>>> > to get it to build from source (now some odd javac access exception).
>>>
>>> Strange, do you have a date of the snapshot? Maybe Jenkins stopped
>>> publishing them.
>>>
>>> > Where do I get the bits for testing 2.3.34, if not the snapshots?
>>>
>>> Here is the full info
>>> http://markmail.org/message/5xuhb2vwc7iagjjr
>>>
>>>
>>> Thanks & regards
>>> --
>>> Łukasz
>>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by William Stranathan <wi...@thestranathans.com>.
And yes, it looks like the Jenkins builds have been failing for quite some
time:
https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console
(that
error message is not too dissimilar from the one I get with JDK 7 in the
same module).
On Wed, Sep 6, 2017 at 7:04 AM William Stranathan <wi...@thestranathans.com>
wrote:
> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
> 2.3.34 snapshot of the rest-plugin dated August 12.
>
> I just did a build of only the bits needed to get the rest-showcase
> running (so mvn install, when that fails, mvn install -f
> plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with
> the correct permission message.
>
> On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart <lu...@apache.org>
> wrote:
>
>> 2017-09-06 12:31 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
>> > Odd - when I tested the snapshots, they were still vulnerable. I'm not
>> able
>> > to get it to build from source (now some odd javac access exception).
>>
>> Strange, do you have a date of the snapshot? Maybe Jenkins stopped
>> publishing them.
>>
>> > Where do I get the bits for testing 2.3.34, if not the snapshots?
>>
>> Here is the full info
>> http://markmail.org/message/5xuhb2vwc7iagjjr
>>
>>
>> Thanks & regards
>> --
>> Łukasz
>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
2017-09-06 13:04 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
> 2.3.34 snapshot of the rest-plugin dated August 12.
>
> I just did a build of only the bits needed to get the rest-showcase running
> (so mvn install, when that fails, mvn install -f
> plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with
> the correct permission message.
Looks like something is broken with publishing the latest SNAPSHOTS
This contains only month old builds
https://repository.apache.org/content/groups/snapshots/org/apache/struts/struts2-rest-plugin/2.3.34-SNAPSHOT/
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by William Stranathan <wi...@thestranathans.com>.
Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the
2.3.34 snapshot of the rest-plugin dated August 12.
I just did a build of only the bits needed to get the rest-showcase running
(so mvn install, when that fails, mvn install -f
plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with
the correct permission message.
On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart <lu...@apache.org>
wrote:
> 2017-09-06 12:31 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> > Odd - when I tested the snapshots, they were still vulnerable. I'm not
> able
> > to get it to build from source (now some odd javac access exception).
>
> Strange, do you have a date of the snapshot? Maybe Jenkins stopped
> publishing them.
>
> > Where do I get the bits for testing 2.3.34, if not the snapshots?
>
> Here is the full info
> http://markmail.org/message/5xuhb2vwc7iagjjr
>
>
> Thanks & regards
> --
> Łukasz
> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Struts 2.3 fix for s2-052?
Posted by William Stranathan <wi...@thestranathans.com>.
Incidentally, the wiki points out that 2.3 is vulnerable, but
http://struts.apache.org/docs/s2-052.html still only states 2.5.
On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart <lu...@apache.org>
wrote:
> 2017-09-06 16:12 GMT+02:00 Emi <em...@encs.concordia.ca>:
> > Hello,
> >>
> >> I finally read your email where you gave the dist URL for the dev
> release.
> >
> > This is the release that I should use for 2.3 right?
> >
> > https://dist.apache.org/repos/dist/dev/struts/2.3.34/
>
> Yes, it should be officially released and announced soon
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
2017-09-06 18:40 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> Any ETA?
Under way to the Central and mirrors
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by William Stranathan <wi...@thestranathans.com>.
Any ETA?
On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart <lu...@apache.org>
wrote:
> 2017-09-06 16:12 GMT+02:00 Emi <em...@encs.concordia.ca>:
> > Hello,
> >>
> >> I finally read your email where you gave the dist URL for the dev
> release.
> >
> > This is the release that I should use for 2.3 right?
> >
> > https://dist.apache.org/repos/dist/dev/struts/2.3.34/
>
> Yes, it should be officially released and announced soon
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
2017-09-06 16:12 GMT+02:00 Emi <em...@encs.concordia.ca>:
> Hello,
>>
>> I finally read your email where you gave the dist URL for the dev release.
>
> This is the release that I should use for 2.3 right?
>
> https://dist.apache.org/repos/dist/dev/struts/2.3.34/
Yes, it should be officially released and announced soon
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by Emi <em...@encs.concordia.ca>.
Hello,
> I finally read your email where you gave the dist URL for the dev release.
This is the release that I should use for 2.3 right?
https://dist.apache.org/repos/dist/dev/struts/2.3.34/
Thanks.
> I tested against the struts2-rest-showcase app, a URL that was vulnerable
> in other versions.
>
> I also manually built just struts2-core, rest-plugin, config-browser, and
> rest-showcase apps, and attempted the exploit against that as well, and
> that also gave the exception around class permissions (the exception it
> should throw when deserialization attempts to instantiate a non-allowed
> class).
>
> On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lu...@apache.org>
> wrote:
>
>> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
>>> Here is the full info
>>> http://markmail.org/message/5xuhb2vwc7iagjjr
>> William, how does your test pass?
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
Thanks a lot!
2017-09-06 15:56 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> I finally read your email where you gave the dist URL for the dev release.
> I tested against the struts2-rest-showcase app, a URL that was vulnerable
> in other versions.
>
> I also manually built just struts2-core, rest-plugin, config-browser, and
> rest-showcase apps, and attempted the exploit against that as well, and
> that also gave the exception around class permissions (the exception it
> should throw when deserialization attempts to instantiate a non-allowed
> class).
>
> On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lu...@apache.org>
> wrote:
>
>> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
>> > Here is the full info
>> > http://markmail.org/message/5xuhb2vwc7iagjjr
>>
>> William, how does your test pass?
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by William Stranathan <wi...@thestranathans.com>.
I finally read your email where you gave the dist URL for the dev release.
I tested against the struts2-rest-showcase app, a URL that was vulnerable
in other versions.
I also manually built just struts2-core, rest-plugin, config-browser, and
rest-showcase apps, and attempted the exploit against that as well, and
that also gave the exception around class permissions (the exception it
should throw when deserialization attempts to instantiate a non-allowed
class).
On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart <lu...@apache.org>
wrote:
> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> > Here is the full info
> > http://markmail.org/message/5xuhb2vwc7iagjjr
>
> William, how does your test pass?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
2017-09-06 12:37 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> Here is the full info
> http://markmail.org/message/5xuhb2vwc7iagjjr
William, how does your test pass?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
2017-09-06 12:31 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> Odd - when I tested the snapshots, they were still vulnerable. I'm not able
> to get it to build from source (now some odd javac access exception).
Strange, do you have a date of the snapshot? Maybe Jenkins stopped
publishing them.
> Where do I get the bits for testing 2.3.34, if not the snapshots?
Here is the full info
http://markmail.org/message/5xuhb2vwc7iagjjr
Thanks & regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Posted by William Stranathan <wi...@thestranathans.com>.
Odd - when I tested the snapshots, they were still vulnerable. I'm not able
to get it to build from source (now some odd javac access exception).
Where do I get the bits for testing 2.3.34, if not the snapshots?
On Wed, Sep 6, 2017 at 1:36 AM Lukasz Lenart <lu...@apache.org>
wrote:
> 2017-09-06 6:22 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3
> > patch available yet. I've tried with the latest snapshots, and those are
> > also vulnerable.
> >
> > Is there a fix for this vulnerability on the 2.3 stream forthcoming?
>
> I have called for a vote just now, 2.3.34 contains all the backports
> from 2.5.13 related to the security vulnerabilities. Please test and
> report back.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Struts 2.3 fix for s2-052?
Posted by Lukasz Lenart <lu...@apache.org>.
2017-09-06 6:22 GMT+02:00 William Stranathan <wi...@thestranathans.com>:
> Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3
> patch available yet. I've tried with the latest snapshots, and those are
> also vulnerable.
>
> Is there a fix for this vulnerability on the 2.3 stream forthcoming?
I have called for a vote just now, 2.3.34 contains all the backports
from 2.5.13 related to the security vulnerabilities. Please test and
report back.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org