You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Anu Krishna Rajamohan <ar...@ncsu.edu> on 2016/04/29 00:34:38 UTC
Security Vulnerability for Struts 1.3.10 in Struts 2.x
Hi,
As Apache Struts 1.x is pretty old and it suffers from many security
vulnerabilities, I decided to use a recent version of Apache Struts 2.x
(Struts 2.3.24.1). However, I find that struts-core-1.3.10 jar is present
in struts 2.x. Can you please let me know if the presence of this jar makes
Struts 2.x vulnerable to security issues such as CVE-2012-1007
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>.
Thanks and Best Regards,
Anu
Re: Security Vulnerability for Struts 1.3.10 in Struts 2.x
Posted by Christoph Nenning <Ch...@lex-com.net>.
> Hi,
>
> As Apache Struts 1.x is pretty old and it suffers from many security
> vulnerabilities, I decided to use a recent version of Apache Struts 2.x
> (Struts 2.3.24.1). However, I find that struts-core-1.3.10 jar is
present
> in struts 2.x. Can you please let me know if the presence of this jar
makes
> Struts 2.x vulnerable to security issues such as CVE-2012-1007
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>.
>
> Thanks and Best Regards,
> Anu
Do you use maven or some other tool to manage dependencies?
Or did you download one of the zip files?
Struts2 has many plugins which have their own dependencies. The zip files
contain that all. But for most apps it is not necessary. It is highly
recommended to use dependency management to make sure you really get just
those jars that you need.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: Security Vulnerability for Struts 1.3.10 in Struts 2.x
Posted by Dave Newton <da...@gmail.com>.
It's only "present" if you're using the Struts 1 plugin.
Are you?
On Thu, Apr 28, 2016 at 6:34 PM, Anu Krishna Rajamohan <ar...@ncsu.edu>
wrote:
> Hi,
>
> As Apache Struts 1.x is pretty old and it suffers from many security
> vulnerabilities, I decided to use a recent version of Apache Struts 2.x
> (Struts 2.3.24.1). However, I find that struts-core-1.3.10 jar is present
> in struts 2.x. Can you please let me know if the presence of this jar makes
> Struts 2.x vulnerable to security issues such as CVE-2012-1007
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>.
>
> Thanks and Best Regards,
> Anu
>
--
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
Re: Security Vulnerability for Struts 1.3.10 in Struts 2.x
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Anu,
On 4/28/16 6:34 PM, Anu Krishna Rajamohan wrote:
> As Apache Struts 1.x is pretty old and it suffers from many
> security vulnerabilities, I decided to use a recent version of
> Apache Struts 2.x (Struts 2.3.24.1). However, I find that
> struts-core-1.3.10 jar is present in struts 2.x. Can you please let
> me know if the presence of this jar makes Struts 2.x vulnerable to
> security issues such as CVE-2012-1007
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>.
It's worth pointing out that CVE-2012-1007 specifically is an XSS
vulnerability in the Struts example web application. There is really
no need to ever deploy that application anywhere but a dev server
playground.
The presence of the JAR does not deploy this examples web application,
so you won't be vulnerable to CVE-2012-1007 unless you really try hard
to expose yourself.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXMgFhAAoJEBzwKT+lPKRYrp4P/i/DZpt5A8XQJbu3hPQrgcPJ
bxCWuFTAgIP/02p7Buqq4om2eHFIZf3OUsXv/xaUseW31ffPwelM5XeOdCLZnbfW
/V/56FZg4/EKVZXpeFjX+0yRrr+qLI1XSkXd68Y1fQ/ryEEED70qtyiL8sIYgYrx
FG/cytCRaweqZuzToBqEbNG52R4/iRpPr9sybEhFjPZtqHUixuVXd4Ab4/CtPnca
U2OacetX5+YzAGkR3wDImQr6iB5qaBJG5z9GX7DuhVOV5Tgla6CF/Cks5SUSfDk1
N9grhaz0h6y3J4YVss1BjUU+66MuyGMy2lHMJUBy30CROqXKZBRUkTlE9g/5OQUT
D1H5dZauQ3lu1pfAvd+vE4TLHXzW85KbyfeXYsp/tv17N9cWhstdmNnr/o68IErQ
WPkUxlcK3woS2ku9jbYnY2ioIZSTlrllzzBEz92EBTqyERnN0c2TqE2dzYlexDdN
9JemuDJjgKa1DDzNXP9UGcOp5d5vGP3Z7kDmIwtW+o+UqLl0imnLJlTQvN/6yE+I
W/Mxr/U52f5Vj7diBoLihGqeUkb13I0yy0FHm2kIOnpvnZTTSa17hHqF6JvD8U8b
MQ1qDVWOAn6z+lmEnWYN0ifKwECzzEfLYV532lPS2AZpz6UPlckU/S0sEyXAKo5Z
Lsfw4B5VHt9O0CnFEnPv
=D7AM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org