Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Grouper's use of Apache Struts

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Grouper's use of Apache Struts


Chronological Thread 
  • From: Baron Fujimoto <>
  • To: Grouper Users <>
  • Subject: [grouper-users] Grouper's use of Apache Struts
  • Date: Tue, 26 Sep 2017 17:05:22 -1000
  • Ironport-phdr: 9a23:x4wzmRDvW3ip4P9MdfjAUyQJP3N1i/DPJgcQr6AfoPdwSPX4p8bcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzca3HfdMeWGFPQMBfWSJcCY+4docCD+8NMOBFpIf/ulQOtwOzCwesCu3x1zFGhXD50rEn3OsvCgzGwBAsEsgSvHjIttj5KqEfWv21wqnSyjXDautb1Crn54jSdRAhp+yHU7JtccrTyEkvEgTFjkmXqYf4OD6azf4Cs3Kc7+pmTu+vi3Qoqg9rrTiux8cgkJfGiZ8Iyl3d8yhy3Yg7Jdq9SEFhYN6kFoNdtyebN4ttXsMuWW5ouCEkyrEeo5G7ZDIFx4gnxxHBcfCHdJKI4h37WOafITp0nm5qeLW6hxu07EOuyfX8W9Gq3FtLsiZIkNzBtn4O2hPI9sSKT/Rw8lu91TmR0g3c9v1ILEAxmKfeNZIszKI8moIOvUjdHSL6glj6ga2Lekk+5+Sk8frrb7P7rZGGLYB0kBvxMqE2l8y/H+s4Ng8OUnCe+eum1b3j+VT1QK1FjvEqi6XYv47WKMoHqqKjDA9V1YEj6xm7Dzi4ytgXgX4HLFdddBKGiYjmJU3OLejmAfq+n1ihkjJmx/7FM7L6HpnAK3fOnKv9cblj7kNT1BY/wNBa6p9RFL0MLu7/Vlf0tNPCDx85NwK0w/zgCNV4zo4RQniAArWeMKPUqlKI5vggIueWa48UuTbxMeYq6OPzjXMhg18SYbGp3YcLaHC/BvlmLF+ZYX3xgtcZD2gKpBMyTPHxiFKcSz5TfG2/X6Y95jEgFIKmFpnPSpqsgLyHwCe0AIdWZmZYBVCQD3vkbZuLVOoRaHHaHsg0vSYDSKCsUccczhy0r0euxKBgM/LZ4GgFrp/5z/B04fHejxc/6WYyAsiAhTKjVWZxy0kBXTgwlI5io014zUuEmfxyiuZfE/RT7uxAUwZ8OJLBmb8pQ+vuUx7MK4/aAG2tRc+rVHRoFo88

Due to the recent high profile Equifax breach attributed to
vulnerabilities in Apache Struts, use of Struts within our organization
has come under scrutiny. It would help us to address concerns if these
questions could be answered.

It's our understanding that Grouper is not subject to recently announced
vulnerabilities in Struts, e.g. CVE-2017-5638
<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>, because they apply to
older version of Struts 2, whereas Grouper uses Struts v1.

How can you tell specifically which version of Struts is being used in a
Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:

Specification-Title: Struts Framework
Specification-Vendor: The Apache Software Foundation
Specification-Version: 1.2.4

Is this a reliable way to get the version information?

Is the only place Grouper uses Struts in the UI? Not, say, by the WS?

The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
brought to our attention that Struts 1 is implicated in CVE-2014-0114
<https://nvd.nist.gov/vuln/detail/CVE-2014-0114>. Our Google-fu failed to
turn up anything about this in the Grouper context. Has this risk been
assessed for Grouper?

If called for, would the mitigation strategy described here work with
Grouper, or is there perhaps a fly in the ointment?
<https://devcentral.f5.com/articles/mitigating-the-apache-struts-classloader-manipulation-vulnerabilities-using-asm>

It's also been pointed out to us that Struts 1 itself was EOL as of
2013-04. Per their announcement, should a major security problem or a
serious bug reported for Struts 1, no new releases or fixes fixes may be
expected. <https://struts.apache.org/struts1eol-announcement.html>

Given this, what is Grouper's future with regard to its use of Struts?

Aloha,
-baron
--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum



Archive powered by MHonArc 2.6.19.

Top of Page