Apache Struts Vulnerability - CVE-2017-9791

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Apache Struts Vulnerability - CVE-2017-9791

Chunduru, Krishnachaithanya
Hi All,

Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

We came to know that Apache which is having Apache Struts version 2.3.x with Struts 1 plugin and Struts 1 action is highly vulnerable . If exploited, this vulnerability would allow a remote code execution attack. 

I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you.

Regards,
Krishna


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Apache Struts Vulnerability - CVE-2017-9791

Lukasz Lenart
2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya
<[hidden email]>:

> Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

I assume you meant 2.5.10 as there is no such version as 2.4.10. And
as stated in the description 2.5.x series isn't affected as it doesn't
ship with the Struts 1 plugin, only Struts 2.3.x can be affected

http://struts.apache.org/docs/s2-048.html

> I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you.

Looks like you are running the previous version of Struts, version 1.1
which isn't affected by the vulnerability (but there are other
vulnerabilities which affect this version).


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Apache Struts Vulnerability - CVE-2017-9791

Chunduru, Krishnachaithanya
Hi Lukasz,

Thanks for the prompt response.

I was referring to Apache version we have i.e., 2.4.10.

I'm not sure how to check the struts version we are having.  As you mentioned 2.5.x series is not affected where and how to check this version on server, I tried googling these issues but it was of very little help.

I was also trying to check for the other vulnerabilities that are present in 1.1 version. Once again thanks for the help.

Regards,
Krishna


-----Original Message-----
From: Lukasz Lenart [mailto:[hidden email]]
Sent: Monday, July 24, 2017 12:53 PM
To: Struts Users Mailing List
Subject: Re: Apache Struts Vulnerability - CVE-2017-9791

2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya
<[hidden email]>:

> Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

I assume you meant 2.5.10 as there is no such version as 2.4.10. And as stated in the description 2.5.x series isn't affected as it doesn't ship with the Struts 1 plugin, only Struts 2.3.x can be affected

http://struts.apache.org/docs/s2-048.html

> I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you.

Looks like you are running the previous version of Struts, version 1.1 which isn't affected by the vulnerability (but there are other vulnerabilities which affect this version).


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Apache Struts Vulnerability - CVE-2017-9791

Lukasz Lenart
2017-07-24 9:36 GMT+02:00 Chunduru, Krishnachaithanya
<[hidden email]>:
> I was referring to Apache version we have i.e., 2.4.10.

There is no such version of Struts -> http://struts.apache.org/downloads.html


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Apache Struts Vulnerability - CVE-2017-9791

Chunduru, Krishnachaithanya
Sorry, I might have confused it.

I was referring to the Apache Webserver 2.4.10 running in our environment.

Can you please let me know how to check the current Struts version I'm using.

Regards,
Krishna


-----Original Message-----
From: Lukasz Lenart [mailto:[hidden email]]
Sent: Monday, July 24, 2017 1:16 PM
To: Struts Users Mailing List
Subject: Re: Apache Struts Vulnerability - CVE-2017-9791

2017-07-24 9:36 GMT+02:00 Chunduru, Krishnachaithanya
<[hidden email]>:
> I was referring to Apache version we have i.e., 2.4.10.

There is no such version of Struts -> http://struts.apache.org/downloads.html


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Apache Struts Vulnerability - CVE-2017-9791

Lukasz Lenart
2017-07-24 10:57 GMT+02:00 Chunduru, Krishnachaithanya
<[hidden email]>:
> I was referring to the Apache Webserver 2.4.10 running in our environment.

but you still need a Servlet container, e.g. Tomcat or Jetty or other
to run a Struts based app.

> Can you please let me know how to check the current Struts version I'm using.

As you already did, by checking the MANIFEST file which says you are
using Struts 1.1


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...