You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Chunduru, Krishnachaithanya" <Kr...@broadridge.com> on 2017/07/23 12:20:42 UTC
Apache Struts Vulnerability - CVE-2017-9791
Hi All,
Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.
We came to know that Apache which is having Apache Struts version 2.3.x with Struts 1 plugin and Struts 1 action is highly vulnerable . If exploited, this vulnerability would allow a remote code execution attack.
I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you.
Regards,
Krishna
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Apache Struts Vulnerability - CVE-2017-9791
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-24 10:57 GMT+02:00 Chunduru, Krishnachaithanya
<Kr...@broadridge.com>:
> I was referring to the Apache Webserver 2.4.10 running in our environment.
but you still need a Servlet container, e.g. Tomcat or Jetty or other
to run a Struts based app.
> Can you please let me know how to check the current Struts version I'm using.
As you already did, by checking the MANIFEST file which says you are
using Struts 1.1
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Apache Struts Vulnerability - CVE-2017-9791
Posted by "Chunduru, Krishnachaithanya" <Kr...@broadridge.com>.
Sorry, I might have confused it.
I was referring to the Apache Webserver 2.4.10 running in our environment.
Can you please let me know how to check the current Struts version I'm using.
Regards,
Krishna
-----Original Message-----
From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
Sent: Monday, July 24, 2017 1:16 PM
To: Struts Users Mailing List
Subject: Re: Apache Struts Vulnerability - CVE-2017-9791
2017-07-24 9:36 GMT+02:00 Chunduru, Krishnachaithanya
<Kr...@broadridge.com>:
> I was referring to Apache version we have i.e., 2.4.10.
There is no such version of Struts -> http://struts.apache.org/downloads.html
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Re: Apache Struts Vulnerability - CVE-2017-9791
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-24 9:36 GMT+02:00 Chunduru, Krishnachaithanya
<Kr...@broadridge.com>:
> I was referring to Apache version we have i.e., 2.4.10.
There is no such version of Struts -> http://struts.apache.org/downloads.html
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Apache Struts Vulnerability - CVE-2017-9791
Posted by "Chunduru, Krishnachaithanya" <Kr...@broadridge.com>.
Hi Lukasz,
Thanks for the prompt response.
I was referring to Apache version we have i.e., 2.4.10.
I'm not sure how to check the struts version we are having. As you mentioned 2.5.x series is not affected where and how to check this version on server, I tried googling these issues but it was of very little help.
I was also trying to check for the other vulnerabilities that are present in 1.1 version. Once again thanks for the help.
Regards,
Krishna
-----Original Message-----
From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
Sent: Monday, July 24, 2017 12:53 PM
To: Struts Users Mailing List
Subject: Re: Apache Struts Vulnerability - CVE-2017-9791
2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya
<Kr...@broadridge.com>:
> Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.
I assume you meant 2.5.10 as there is no such version as 2.4.10. And as stated in the description 2.5.x series isn't affected as it doesn't ship with the Struts 1 plugin, only Struts 2.3.x can be affected
http://struts.apache.org/docs/s2-048.html
> I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you.
Looks like you are running the previous version of Struts, version 1.1 which isn't affected by the vulnerability (but there are other vulnerabilities which affect this version).
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Apache Struts Vulnerability - CVE-2017-9791
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya
<Kr...@broadridge.com>:
> Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.
I assume you meant 2.5.10 as there is no such version as 2.4.10. And
as stated in the description 2.5.x series isn't affected as it doesn't
ship with the Struts 1 plugin, only Struts 2.3.x can be affected
http://struts.apache.org/docs/s2-048.html
> I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you.
Looks like you are running the previous version of Struts, version 1.1
which isn't affected by the vulnerability (but there are other
vulnerabilities which affect this version).
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org