You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Markus Fischer <Ma...@knipp.de> on 2013/12/11 15:18:33 UTC

Is Struts 2.3.15.2 affected by the security vulnerability S2-018?

Dear group,

I hope that you can help to clear up my confusion about the current
status of Struts 2.3.15.2 with regards to the security vulnerability
S2-018 (see [1]).

So far, it was my understanding that S2-018 is fixed with the 2.3.15.2
release. And the release notes still suggest that this is the case (see
[2]). Also, in [3] the vulnerability is categorized as only affecting
Struts versions up to 2.3.15.1.

But now I found that S2-018 is listed as vulnerability affecting Struts
2.3.15.2 (see [4]). Also, the description of S2-018 currently states the
following: "In Struts 2 before 2.3.15.3, under certain conditions this
can be used to bypass security constraints."

I am aware that there are backward compatibility issues with the action:
prefix not working with Struts 2.3.15.2. However, some of the projects I
am administrating (and which are running Struts 2.3.15.2) do not make
use of that feature.

My question is: do I need to update those systems in order not to be
affected by a security vulnerability? Or is S2-018 merely listed as
affecting Struts 2.3.15.2 because of the backward compatibility issue,
but the security issue is fixed?

Many tanks in advance,
Markus

[1] http://struts.apache.org/development/2.x/docs/s2-018.html

[2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html

[3] http://www.cvedetails.com/cve/CVE-2013-4310/

[4] http://struts.apache.org/downloads.html


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?

Posted by Lukasz Lenart <lu...@apache.org>.

2013/12/17 Miguel Almeida <mi...@almeida.at>:
> Great to hear that. BTW, you've been missed on IRC's #struts, drop by
> some time!

Too many communications channels ;-) When entire company will switch
to using IRC I'll be there all the time :-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?

Posted by Miguel Almeida <mi...@almeida.at>.

On Tue, 2013-12-17 at 11:40 +0100, Lukasz Lenart wrote:

> 2013/12/17 Miguel Almeida <mi...@almeida.at>:
> > Lukasz,
> >
> > Just to be sure, does that mean that if you use 2.3.15.3 and you set the
> > flag to enable the action: prefix it means you'll get the old behaviour
> > (and vulnerability) back?
> 
> As I cannot answer your question directly on public forum, I will say
> that there is one more option you should keep false when you enabled
> support for action: prefix.
> 
> Anyway, right now I'm working on two most important things: better DMI
> and action: support :-)

Great to hear that. BTW, you've been missed on IRC's #struts, drop by
some time!



> 
> 
> Regards

Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?

Posted by Lukasz Lenart <lu...@apache.org>.

2013/12/17 Miguel Almeida <mi...@almeida.at>:
> Lukasz,
>
> Just to be sure, does that mean that if you use 2.3.15.3 and you set the
> flag to enable the action: prefix it means you'll get the old behaviour
> (and vulnerability) back?

As I cannot answer your question directly on public forum, I will say
that there is one more option you should keep false when you enabled
support for action: prefix.

Anyway, right now I'm working on two most important things: better DMI
and action: support :-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?

Posted by Miguel Almeida <mi...@almeida.at>.

Lukasz,

Just to be sure, does that mean that if you use 2.3.15.3 and you set the
flag to enable the action: prefix it means you'll get the old behaviour
(and vulnerability) back?


Miguel

On Mon, 2013-12-16 at 08:27 +0100, Lukasz Lenart wrote:

> 2.3.15.2 and 2.3.15.3 address the same issue, but 2.3.15.2 breaks
> support for action: prefix, that's why we released 2.3.15.3 as well -
> even if you don't use action: prefix functionality it will be better
> upgrade to 2.3.15.3 and use the new flag to disable action: prefix
> which is safer option.
> 
> 
> Regards

Re: Is Struts 2.3.15.2 affected by the security vulnerability S2-018?

Posted by Lukasz Lenart <lu...@apache.org>.

2.3.15.2 and 2.3.15.3 address the same issue, but 2.3.15.2 breaks
support for action: prefix, that's why we released 2.3.15.3 as well -
even if you don't use action: prefix functionality it will be better
upgrade to 2.3.15.3 and use the new flag to disable action: prefix
which is safer option.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2013/12/11 Markus Fischer <Ma...@knipp.de>:
> Dear group,
>
> I hope that you can help to clear up my confusion about the current
> status of Struts 2.3.15.2 with regards to the security vulnerability
> S2-018 (see [1]).
>
> So far, it was my understanding that S2-018 is fixed with the 2.3.15.2
> release. And the release notes still suggest that this is the case (see
> [2]). Also, in [3] the vulnerability is categorized as only affecting
> Struts versions up to 2.3.15.1.
>
> But now I found that S2-018 is listed as vulnerability affecting Struts
> 2.3.15.2 (see [4]). Also, the description of S2-018 currently states the
> following: "In Struts 2 before 2.3.15.3, under certain conditions this
> can be used to bypass security constraints."
>
> I am aware that there are backward compatibility issues with the action:
> prefix not working with Struts 2.3.15.2. However, some of the projects I
> am administrating (and which are running Struts 2.3.15.2) do not make
> use of that feature.
>
> My question is: do I need to update those systems in order not to be
> affected by a security vulnerability? Or is S2-018 merely listed as
> affecting Struts 2.3.15.2 because of the backward compatibility issue,
> but the security issue is fixed?
>
> Many tanks in advance,
> Markus
>
> [1] http://struts.apache.org/development/2.x/docs/s2-018.html
>
> [2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html
>
> [3] http://www.cvedetails.com/cve/CVE-2013-4310/
>
> [4] http://struts.apache.org/downloads.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org