Grouper Users - Open Discussion List

[Baron Fujimoto <>]

Apologies for possibly beating a dead horse, but can anyone confirm that
Grouper is using the features available in BeanUtils 1.9.2 to mitigate
CVE-2014-0114?

Without positive confirmation, we'll probably have to firewall off our
Grouper to limit exposure, which we'd obviously rather avoid if
unnecessary.

It doesn't seem like anyone else seems particularly concerned about this
that we've noticed. Are we overreacting?

Aloha,
-baron

On Wed, Sep 27, 2017 at 07:41:13PM +0000, Baron Fujimoto wrote:
>Mahalo for the responses. For clarification, does the use of beanutils
>1.9.2 which provides for the suppression of properties, including "class"
>mean that this vulnerability is actually mitigated in Grouper?
>
>It actually seems a little ambiguous, since the BEANUTILS-463 issue
>indicates that the issue is addressable in BeanUtils 1.9.2, but
>CVE-2014-0114 implicates beanutils versions "through 1.9.2". I'm assuming
>the BEANUTILS-463 is correct and that the CVE-2014-0114 advisory could be
>more clearly or accurately worded, but confirmation would be helpful.
>
>Thanks also for the roadmap/timeline for Grouper's plans for Struts going
>forward.
>
>On Wed, Sep 27, 2017 at 03:36:52PM +0000, Hyzer, Chris wrote:
>>Yes 1.2.4
>>Yes the manifest is a reliable way to get the version
>>We use beanutils 1.9.2: https://issues.apache.org/jira/browse/BEANUTILS-463
>>Struts is only in UI, not WS
>>We are trying to get struts out of Grouper by the end of the calendar 
>>year...
>>
>>Thanks
>>Chris
>>
>>-----Original Message-----
>>From: 
>>
>> 
>>[mailto:]
>> On Behalf Of Baron Fujimoto
>>Sent: Tuesday, September 26, 2017 11:05 PM
>>To: Grouper Users 
>><>
>>Subject: [grouper-users] Grouper's use of Apache Struts
>>
>>Due to the recent high profile Equifax breach attributed to
>>vulnerabilities in Apache Struts, use of Struts within our organization
>>has come under scrutiny. It would help us to address concerns if these
>>questions could be answered.
>>
>>It's our understanding that Grouper is not subject to recently announced
>>vulnerabilities in Struts, e.g. CVE-2017-5638
>><https://nvd.nist.gov/vuln/detail/CVE-2017-5638>, because they apply to
>>older version of Struts 2, whereas Grouper uses Struts v1.
>>
>>How can you tell specifically which version of Struts is being used in a
>>Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
>>
>>Specification-Title: Struts Framework
>>Specification-Vendor: The Apache Software Foundation
>>Specification-Version: 1.2.4
>>
>>Is this a reliable way to get the version information?
>>
>>Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
>>
>>The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
>>brought to our attention that Struts 1 is implicated in CVE-2014-0114
>><https://nvd.nist.gov/vuln/detail/CVE-2014-0114>. Our Google-fu failed to
>>turn up anything about this in the Grouper context. Has this risk been
>>assessed for Grouper?
>>
>>If called for, would the mitigation strategy described here work with
>>Grouper, or is there perhaps a fly in the ointment?
>><https://devcentral.f5.com/articles/mitigating-the-apache-struts-classloader-manipulation-vulnerabilities-using-asm>
>>
>>It's also been pointed out to us that Struts 1 itself was EOL as of
>>2013-04. Per their announcement, should a major security problem or a
>>serious bug reported for Struts 1, no new releases or fixes fixes may be
>>expected. <https://struts.apache.org/struts1eol-announcement.html>
>>
>>Given this, what is Grouper's future with regard to its use of Struts?

-- 
Baron Fujimoto 
<>
 :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum