Grouper Users - Open Discussion List

[Baron Fujimoto <>]

Mahalo, Chris! Your confirmation is much appreciated (especially as it
means one less issue for us to deal with in the short term :P )

Aloha,
-baron

On Mon, Oct 16, 2017 at 04:33:50AM +0000, Hyzer, Chris wrote:
>Yes, using 1.9.2 to mitigate that.  You could put an apache config to only 
>allow the admin ui from certain ip addresses... the new ui and lite ui do 
>not use struts...
>
>You know no one will say don't worry about security :)
>
>Thanks
>Chris
>
>-----Original Message-----
>From: Baron Fujimoto 
>[mailto:]
> 
>Sent: Friday, October 13, 2017 7:42 PM
>To: Hyzer, Chris 
><>;
> Grouper Users 
><>
>Subject: Re: [grouper-users] Grouper's use of Apache Struts
>
>Apologies for possibly beating a dead horse, but can anyone confirm that
>Grouper is using the features available in BeanUtils 1.9.2 to mitigate
>CVE-2014-0114?
>
>Without positive confirmation, we'll probably have to firewall off our
>Grouper to limit exposure, which we'd obviously rather avoid if
>unnecessary.
>
>It doesn't seem like anyone else seems particularly concerned about this
>that we've noticed. Are we overreacting?
>
>Aloha,
>-baron
>
>On Wed, Sep 27, 2017 at 07:41:13PM +0000, Baron Fujimoto wrote:
>>Mahalo for the responses. For clarification, does the use of beanutils
>>1.9.2 which provides for the suppression of properties, including "class"
>>mean that this vulnerability is actually mitigated in Grouper?
>>
>>It actually seems a little ambiguous, since the BEANUTILS-463 issue
>>indicates that the issue is addressable in BeanUtils 1.9.2, but
>>CVE-2014-0114 implicates beanutils versions "through 1.9.2". I'm assuming
>>the BEANUTILS-463 is correct and that the CVE-2014-0114 advisory could be
>>more clearly or accurately worded, but confirmation would be helpful.
>>
>>Thanks also for the roadmap/timeline for Grouper's plans for Struts going
>>forward.
>>
>>On Wed, Sep 27, 2017 at 03:36:52PM +0000, Hyzer, Chris wrote:
>>>Yes 1.2.4
>>>Yes the manifest is a reliable way to get the version
>>>We use beanutils 1.9.2: https://issues.apache.org/jira/browse/BEANUTILS-463
>>>Struts is only in UI, not WS
>>>We are trying to get struts out of Grouper by the end of the calendar 
>>>year...
>>>
>>>Thanks
>>>Chris
>>>
>>>-----Original Message-----
>>>From: 
>>>
>>> 
>>>[mailto:]
>>> On Behalf Of Baron Fujimoto
>>>Sent: Tuesday, September 26, 2017 11:05 PM
>>>To: Grouper Users 
>>><>
>>>Subject: [grouper-users] Grouper's use of Apache Struts
>>>
>>>Due to the recent high profile Equifax breach attributed to
>>>vulnerabilities in Apache Struts, use of Struts within our organization
>>>has come under scrutiny. It would help us to address concerns if these
>>>questions could be answered.
>>>
>>>It's our understanding that Grouper is not subject to recently announced
>>>vulnerabilities in Struts, e.g. CVE-2017-5638
>>><https://nvd.nist.gov/vuln/detail/CVE-2017-5638>, because they apply to
>>>older version of Struts 2, whereas Grouper uses Struts v1.
>>>
>>>How can you tell specifically which version of Struts is being used in a
>>>Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
>>>
>>>Specification-Title: Struts Framework
>>>Specification-Vendor: The Apache Software Foundation
>>>Specification-Version: 1.2.4
>>>
>>>Is this a reliable way to get the version information?
>>>
>>>Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
>>>
>>>The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
>>>brought to our attention that Struts 1 is implicated in CVE-2014-0114
>>><https://nvd.nist.gov/vuln/detail/CVE-2014-0114>. Our Google-fu failed to
>>>turn up anything about this in the Grouper context. Has this risk been
>>>assessed for Grouper?
>>>
>>>If called for, would the mitigation strategy described here work with
>>>Grouper, or is there perhaps a fly in the ointment?
>>><https://devcentral.f5.com/articles/mitigating-the-apache-struts-classloader-manipulation-vulnerabilities-using-asm>
>>>
>>>It's also been pointed out to us that Struts 1 itself was EOL as of
>>>2013-04. Per their announcement, should a major security problem or a
>>>serious bug reported for Struts 1, no new releases or fixes fixes may be
>>>expected. <https://struts.apache.org/struts1eol-announcement.html>
>>>
>>>Given this, what is Grouper's future with regard to its use of Struts?

-- 
Baron Fujimoto 
<>
 :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum