grouper-users - RE: [grouper-users] Grouper's use of Apache Struts
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: Baron Fujimoto <>, Grouper Users <>
- Subject: RE: [grouper-users] Grouper's use of Apache Struts
- Date: Wed, 27 Sep 2017 15:36:52 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:Y4i7/ROxWhJ/7gV5DaQl6mtUPXoX/o7sNwtQ0KIMzox0K/z/o8bcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzca3HfdMeWGFPQMBfWSJcCY+4docCD+8NMOBFpIf/ulQOtwOzCwmyCu3y1j9GiHz43aM43OQgDQ7I0wMvEskSsHTNsNn5KLseXfyrwKTO0D7Nb+lW2TD46IXQfBwvo/GNXLNufsrL0UUkCh3IjlWKqYzkJDOZ2PkGvm+e7+V8VeKui28mpB9rojW0x8cskZXGipgIylDc6yp5xoA1KcemR0FmfN6pCZ1dvDyUOYtxR8MtWWBouCAix70AuJ67ZzQKxI4oxx7YdfyLa5KH4gr5W+mNITd3mmhpeLWlhxa96USgxO3xWtOo31ZNqypIlMTHuHMV1xHL9MSIUOdx8lqk1DqSygzf9+RJIU47mKbHN5Isx7w9mYQcvEjdGyL7nVv6gLOSe0k85+Sl5fjrbq/iq5OBLYN4lBzyP6A0lsCiA+k1Mw4DVHWB9+umzr3s50j5Ta1KjvIolqnZt4jXK9wHq6C+HwNZz58v5gu9ADu4ydgYmmIII0xfdBKAkojpJ0rBIPflDfe5nlugii9rx+rBPr39HJrCMmTDkLbmfbZ78UJczxczzcxb55JTDbEBI+j/VVP2tNzdFhM5Mgq0zPj7CNhlyI8RQ36DDrKcPa/PrFOE++ciI+eDaYMJpDrwLvoo6ODhgHMnnFIQeLel0YcTZXygG/RpOUSZYX7igtcbFmcKuxIzTOn2h12CUT9SZmi9X7gn6zE6E4KpEZ3PRp21gLOf2ie7GIdaaX5bBVCRCXvobZmLW+8QaCKOJc9sijMEVaKmS488zRGhqhX6x6N6LurP5CIYr4nj2cNx5+3SjhEy6Sd0A9qH32GMSWF0gn0HRyUw3K9hvUxx1E2P3rZljPxFRpRv4KZjWx09M9by0u57DtfuXUqVdN6TT1COQty5CDAwCN893olKK2lnHMi6gwqL4jGnGaRdw7ORA4Es/7iZwmP8Pd1VynDa2bMngkV8BMZDKDv1qLR48l2ZJ5/bnl/d342qb6UHlmaZ8WyD3HiDpmlZSwU2TL3IW3ZZa0fL+4eqrnjeRqOjXOx0ejBKztSPf+4TMoDk
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Yes 1.2.4
Yes the manifest is a reliable way to get the version
We use beanutils 1.9.2: https://issues.apache.org/jira/browse/BEANUTILS-463
Struts is only in UI, not WS
We are trying to get struts out of Grouper by the end of the calendar year...
Thanks
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Baron Fujimoto
Sent: Tuesday, September 26, 2017 11:05 PM
To: Grouper Users
<>
Subject: [grouper-users] Grouper's use of Apache Struts
Due to the recent high profile Equifax breach attributed to
vulnerabilities in Apache Struts, use of Struts within our organization
has come under scrutiny. It would help us to address concerns if these
questions could be answered.
It's our understanding that Grouper is not subject to recently announced
vulnerabilities in Struts, e.g. CVE-2017-5638
<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>, because they apply to
older version of Struts 2, whereas Grouper uses Struts v1.
How can you tell specifically which version of Struts is being used in a
Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
Specification-Title: Struts Framework
Specification-Vendor: The Apache Software Foundation
Specification-Version: 1.2.4
Is this a reliable way to get the version information?
Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
brought to our attention that Struts 1 is implicated in CVE-2014-0114
<https://nvd.nist.gov/vuln/detail/CVE-2014-0114>. Our Google-fu failed to
turn up anything about this in the Grouper context. Has this risk been
assessed for Grouper?
If called for, would the mitigation strategy described here work with
Grouper, or is there perhaps a fly in the ointment?
<https://devcentral.f5.com/articles/mitigating-the-apache-struts-classloader-manipulation-vulnerabilities-using-asm>
It's also been pointed out to us that Struts 1 itself was EOL as of
2013-04. Per their announcement, should a major security problem or a
serious bug reported for Struts 1, no new releases or fixes fixes may be
expected. <https://struts.apache.org/struts1eol-announcement.html>
Given this, what is Grouper's future with regard to its use of Struts?
Aloha,
-baron
--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
- [grouper-users] Grouper's use of Apache Struts, Baron Fujimoto, 09/27/2017
- RE: [grouper-users] Grouper's use of Apache Struts, Hyzer, Chris, 09/27/2017
- Re: [grouper-users] Grouper's use of Apache Struts, Baron Fujimoto, 09/27/2017
- RE: [grouper-users] Grouper's use of Apache Struts, Hyzer, Chris, 09/27/2017
Archive powered by MHonArc 2.6.19.