Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper's use of Apache Struts

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper's use of Apache Struts

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Baron Fujimoto <>, Grouper Users <>
  • Subject: RE: [grouper-users] Grouper's use of Apache Struts
  • Date: Mon, 16 Oct 2017 04:33:50 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:bFFZdhBKFY+VnXpqWZgNUyQJP3N1i/DPJgcQr6AfoPdwSPXzocbcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFUBogCzBRW1BO/z1jNEmmP60bM83u88EQ/GxgsgH9cWvXjartv0NKYTXv6vzKXQ0D7OcfNW2S386IjTfBwqvPaBXbdsfsrRyUguFh3Kjk+LpIzkJDOayv4Bs3WD7+V+U+KvjXQrpB9srTiy38ohjJTCiIwSylDB7yp5wYA1KMWiR05je9GrDJtQuD+AO4txWMMiTGdlszs5xL0eoZO3YjIFxIg6yxPadvCLbpWE7xftVOuePTt0mHdodbChiBu97UStz+jxWteo3FtLtiZJj9fBumwX2xHX98SLUOVx8lql1DqVygze6OBJLEYpnqTBMZEh2KQ/lp8LvETDACD2nEL2gbeOeEg4/eak9/nrbqz7qJGEKoN4kwb+Pb8wlcClBuQ4LxQOUHOc+eSh0r3s4Ff1QK1Qjv0xjqnWrozVJdgapq6+BQ9ZyIEj6wujDzei19QYmnoHIEhZdxKAiojlI1DOIPbmAvejm1mgji1ky+zbMrDkH5nBM2XPnbLvfbty90JQ1A8+wNJB6J9bFr0MJff+VlHtuNHZFhM5Nha7w+fjCNVzzIMeXmePD7ecMKzOsV+J5uMuLPeWZIIOuTb9MOQq6+TzjX8hh1Ade6+p0YEJZ3+lA/RqO1+Zbmb0gtcdDWcKuRIzTOPwiF2FTD5Tf2i9X7gl6jEmE4KpE53DRpu2jbyF3Se7BYFWZntYBlyWEHfocZmEVOkWaCKUPMBhjiIIWaK/RIA8yBH9/DP9npBuNO3SsgMFt5Pm08Ryr7nZnAs18xR0BtuU0mDLQm1pyCdAaCUxwbhyuwRA0VqZyuAsjOZfCMRe/bZUSQogLrbdyfB3Edb/RliHc9uUHgWIWNKjVHsRX8A82ZtGSEZnGs7oxkTG1Cq7EbIPv72QD9op6q/a2T78K9srmCWO77Uok1RzGpgHDmahnKMqslGLX4M=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Yes, using 1.9.2 to mitigate that. You could put an apache config to only
allow the admin ui from certain ip addresses... the new ui and lite ui do not
use struts...

You know no one will say don't worry about security :)


-----Original Message-----
From: Baron Fujimoto

Sent: Friday, October 13, 2017 7:42 PM
To: Hyzer, Chris
Grouper Users
Subject: Re: [grouper-users] Grouper's use of Apache Struts

Apologies for possibly beating a dead horse, but can anyone confirm that
Grouper is using the features available in BeanUtils 1.9.2 to mitigate

Without positive confirmation, we'll probably have to firewall off our
Grouper to limit exposure, which we'd obviously rather avoid if

It doesn't seem like anyone else seems particularly concerned about this
that we've noticed. Are we overreacting?


On Wed, Sep 27, 2017 at 07:41:13PM +0000, Baron Fujimoto wrote:
>Mahalo for the responses. For clarification, does the use of beanutils
>1.9.2 which provides for the suppression of properties, including "class"
>mean that this vulnerability is actually mitigated in Grouper?
>It actually seems a little ambiguous, since the BEANUTILS-463 issue
>indicates that the issue is addressable in BeanUtils 1.9.2, but
>CVE-2014-0114 implicates beanutils versions "through 1.9.2". I'm assuming
>the BEANUTILS-463 is correct and that the CVE-2014-0114 advisory could be
>more clearly or accurately worded, but confirmation would be helpful.
>Thanks also for the roadmap/timeline for Grouper's plans for Struts going
>On Wed, Sep 27, 2017 at 03:36:52PM +0000, Hyzer, Chris wrote:
>>Yes 1.2.4
>>Yes the manifest is a reliable way to get the version
>>We use beanutils 1.9.2:
>>Struts is only in UI, not WS
>>We are trying to get struts out of Grouper by the end of the calendar
>>-----Original Message-----
>> On Behalf Of Baron Fujimoto
>>Sent: Tuesday, September 26, 2017 11:05 PM
>>To: Grouper Users
>>Subject: [grouper-users] Grouper's use of Apache Struts
>>Due to the recent high profile Equifax breach attributed to
>>vulnerabilities in Apache Struts, use of Struts within our organization
>>has come under scrutiny. It would help us to address concerns if these
>>questions could be answered.
>>It's our understanding that Grouper is not subject to recently announced
>>vulnerabilities in Struts, e.g. CVE-2017-5638
>><>, because they apply to
>>older version of Struts 2, whereas Grouper uses Struts v1.
>>How can you tell specifically which version of Struts is being used in a
>>Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
>>Specification-Title: Struts Framework
>>Specification-Vendor: The Apache Software Foundation
>>Specification-Version: 1.2.4
>>Is this a reliable way to get the version information?
>>Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
>>The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
>>brought to our attention that Struts 1 is implicated in CVE-2014-0114
>><>. Our Google-fu failed to
>>turn up anything about this in the Grouper context. Has this risk been
>>assessed for Grouper?
>>If called for, would the mitigation strategy described here work with
>>Grouper, or is there perhaps a fly in the ointment?
>>It's also been pointed out to us that Struts 1 itself was EOL as of
>>2013-04. Per their announcement, should a major security problem or a
>>serious bug reported for Struts 1, no new releases or fixes fixes may be
>>expected. <>
>>Given this, what is Grouper's future with regard to its use of Struts?

Baron Fujimoto
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

Archive powered by MHonArc 2.6.19.

Top of Page