Grouper Users - Open Discussion List

[Baron Fujimoto <>]

Mahalo for the responses. For clarification, does the use of beanutils
1.9.2 which provides for the suppression of properties, including "class"
mean that this vulnerability is actually mitigated in Grouper?

It actually seems a little ambiguous, since the BEANUTILS-463 issue
indicates that the issue is addressable in BeanUtils 1.9.2, but
CVE-2014-0114 implicates beanutils versions "through 1.9.2". I'm assuming
the BEANUTILS-463 is correct and that the CVE-2014-0114 advisory could be
more clearly or accurately worded, but confirmation would be helpful.

Thanks also for the roadmap/timeline for Grouper's plans for Struts going
forward.

On Wed, Sep 27, 2017 at 03:36:52PM +0000, Hyzer, Chris wrote:
>Yes 1.2.4
>Yes the manifest is a reliable way to get the version
>We use beanutils 1.9.2: https://issues.apache.org/jira/browse/BEANUTILS-463
>Struts is only in UI, not WS
>We are trying to get struts out of Grouper by the end of the calendar year...
>
>Thanks
>Chris
>
>-----Original Message-----
>From: 
>
> 
>[mailto:]
> On Behalf Of Baron Fujimoto
>Sent: Tuesday, September 26, 2017 11:05 PM
>To: Grouper Users 
><>
>Subject: [grouper-users] Grouper's use of Apache Struts
>
>Due to the recent high profile Equifax breach attributed to
>vulnerabilities in Apache Struts, use of Struts within our organization
>has come under scrutiny. It would help us to address concerns if these
>questions could be answered.
>
>It's our understanding that Grouper is not subject to recently announced
>vulnerabilities in Struts, e.g. CVE-2017-5638
><https://nvd.nist.gov/vuln/detail/CVE-2017-5638>, because they apply to
>older version of Struts 2, whereas Grouper uses Struts v1.
>
>How can you tell specifically which version of Struts is being used in a
>Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
>
>Specification-Title: Struts Framework
>Specification-Vendor: The Apache Software Foundation
>Specification-Version: 1.2.4
>
>Is this a reliable way to get the version information?
>
>Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
>
>The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
>brought to our attention that Struts 1 is implicated in CVE-2014-0114
><https://nvd.nist.gov/vuln/detail/CVE-2014-0114>. Our Google-fu failed to
>turn up anything about this in the Grouper context. Has this risk been
>assessed for Grouper?
>
>If called for, would the mitigation strategy described here work with
>Grouper, or is there perhaps a fly in the ointment?
><https://devcentral.f5.com/articles/mitigating-the-apache-struts-classloader-manipulation-vulnerabilities-using-asm>
>
>It's also been pointed out to us that Struts 1 itself was EOL as of
>2013-04. Per their announcement, should a major security problem or a
>serious bug reported for Struts 1, no new releases or fixes fixes may be
>expected. <https://struts.apache.org/struts1eol-announcement.html>
>
>Given this, what is Grouper's future with regard to its use of Struts?
>
>Aloha,
>-baron
>-- 
>Baron Fujimoto 
><>
> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-- 
Baron Fujimoto 
<>
 :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum