[ANN] [SECURITY] Corrected affected version ranges in historic Apache,Struts security bulletins and CVE entries

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ANN] [SECURITY] Corrected affected version ranges in historic Apache,Struts security bulletins and CVE entries

Rene Gielen-2
The Apache Struts Security Team would like to announce that a number of
historic Struts Security Bulletins [1] and related CVE database entries
contained incorrect affected release version ranges.

The issue was reported by Christopher Fearon and the Black Duck Research
Team within the Synopsys Cybersecurity Research Center. The reporting
entity conducted thorough investigations on this matter, leading to a
report to the Apache Struts Security Team. The Apache Struts Security
Team worked with the reporters to cross-check said issues and map them
to affected Apache Struts General Availability (GA) releases.

This effort led to the issue of Struts Security Bulletin S2-058,
referencing 15 historic Struts Security Bulletins and respective CVE
entries [2] that have been updated to reflect corrections in affected GA
version ranges as well as minimum GA versions to contain appropriate
fixes for the issues at hand.

The full Security Bulletin can be found here:
https://cwiki.apache.org/confluence/display/WW/S2-058

The Struts Security Team stresses that while the reporters reference
more affected issues and resulting affected version ranges, the Struts
Security Bulletins only cover GA versions designated for production use.
This led to less corrected Security Bulletins and CVE entries [2]
compared to the number of covered issues in the original report.

It is very important to understand that while the individual listed
bulletins contain updated minimum fix versions, it is strongly
recommended to update to the versions recommended by the latest Security
Bulletin, which is S2-057 [3] by the time of this announcement.
Following this advice, the recommended minimum Struts versions to
operate in production are Struts 2.3.35 or Struts 2.5.17.

The Apache Struts Security Team would like to thank the reporters for
their efforts and their practice of responsible disclosure, as well as
their help while investigating the report and coordinating public
disclosure.

[1] https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
[2] https://github.com/CVEProject/cvelist/pull/2423/files
[3] https://cwiki.apache.org/confluence/display/WW/S2-057

--
René Gielen
http://twitter.com/rgielen

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]