Is there a future 2.3.x release for CVE-2018-7489 recently

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there a future 2.3.x release for CVE-2018-7489 recently

song6295@gmail.com
My team need to fix CVE-2018-7489 in few days and there's lots code changes if we migrate to 2.5.x.
Where I can find the release schedule plans for struts2?

Thanks.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Is there a future 2.3.x release for CVE-2018-7489 recently

Lukasz Lenart
2018-03-30 5:14 GMT+02:00 [hidden email] <[hidden email]>:
> My team need to fix CVE-2018-7489 in few days and there's lots code changes if we migrate to 2.5.x.
> Where I can find the release schedule plans for struts2?

Not sure what do you mean by that? This vulnerability is only possible
to happen when you are using @JsonTypeInfo on Object (which means you
are using a very broad pattern) or if enabled "default typing" in
Jackson. Please read this [1] article for a full story

[1] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Is there a future 2.3.x release for CVE-2018-7489 recently

song6295@gmail.com
Hi Lukasz,
Sorry I paste the wrong CVE identifier in subject, the CVE I want to check is CVE-2018-1327(S2-056, Affected Software, Struts 2.1.1 - Struts 2.5.14.1).

Actually, my application don't even have Struts REST plugin jars in it's package. But seems one of my big customer have very strict security policies: They found there's struts 2.3.x in my application, and there's vulnerability in struts jars, so their security request operation team to shutdown the application server before this get fixed.

So I want to check is there any plan on 2.3.x releases?

Thanks.

On 2018/03/30 07:50:43, Lukasz Lenart <[hidden email]> wrote:

> 2018-03-30 5:14 GMT+02:00 [hidden email] <[hidden email]>:
> > My team need to fix CVE-2018-7489 in few days and there's lots code changes if we migrate to 2.5.x.
> > Where I can find the release schedule plans for struts2?
>
> Not sure what do you mean by that? This vulnerability is only possible
> to happen when you are using @JsonTypeInfo on Object (which means you
> are using a very broad pattern) or if enabled "default typing" in
> Jackson. Please read this [1] article for a full story
>
> [1] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Is there a future 2.3.x release for CVE-2018-7489 recently

Lukasz Lenart
2018-03-30 12:39 GMT+02:00 [hidden email] <[hidden email]>:
> Hi Lukasz,
> Sorry I paste the wrong CVE identifier in subject, the CVE I want to check is CVE-2018-1327(S2-056, Affected Software, Struts 2.1.1 - Struts 2.5.14.1).
>
> Actually, my application don't even have Struts REST plugin jars in it's package. But seems one of my big customer have very strict security policies: They found there's struts 2.3.x in my application, and there's vulnerability in struts jars, so their security request operation team to shutdown the application server before this get fixed.
>
> So I want to check is there any plan on 2.3.x releases?

I didn't plan a new version of 2.3.x as this can be easily fixed and
also if you do not use the mentioned plugin it doesn't make sense to
upgrade. The problem is that we are not able to build 2.3.x on Jenkins
as Java 1.6 isn't supported, so my idea was to switch to 2.4.x with
Java 7 as requirement.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]