Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper's use of Apache Struts

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper's use of Apache Struts


Chronological Thread 
  • From: Baron Fujimoto <>
  • To: "Hyzer, Chris" <>
  • Cc: Grouper Users <>
  • Subject: Re: [grouper-users] Grouper's use of Apache Struts
  • Date: Mon, 16 Oct 2017 13:24:04 -1000
  • Ironport-phdr: 9a23:8wnlgBFYp0hE0gkDKPRBlp1GYnF86YWxBRYc798ds5kLTJ7zoM2wAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95fWSJBHI2ycogBD+QOMulEsobypVUBoACiBQWwHu7j1iNEi2Xo0aA8zu8vERvG3AslH98WrXnbts/1NKAUUeuozKfI0DfDb/JT2Tf69IjIdQ0qrPaXUr1qa8rRzk8vGhjFjlqKp43qJTKV1uUXv2eF8uVgSPuihmg6oA9/pTivw90jiojPho8N0F/E7T92z5o1JdKmUkJ7ZsSkEJRWuiqHNIV2WtsvT39ptSomyLALvJC7cSsRx5g7whPSZOCLf5SW7R/mSOmdPTd1iXdgdb6hiRu/8FCsxvDiWsS3ylpGsyhInsTWunwQzRDf9M6KQeZn8Ei7wzaAzQXT5/lEIU8qkarbLIYswrsqmZoStUTPBzf2mErqgKOPeUQo5Oal5uX9brXpoZ+cMIB0igXgPag0hsO/BuE4PhAPX2id5+u8yKXu8VP4TblWjPA7l6fZvZPBKsgHo6O0DBNZ3po95Bu6EziqzNQVkHwCIV5bdh+KjpDlO1TUL/D5Cfe/jU6skDBux/3eJbLuGI/NLn/FkLr6fbZy8UBdxxAyzdBe/Z5bFKwOIO/rVk/rqNPYFgM5MxCzw+v/B9V9zIQeWX+XAqCHKqPeqEKI5vkxLOmWf48YozL9K/k+5/7yln81h0URfaiv3ZsLdn+4BPJmLFuFYXbymNsOD3oFvhdtBNDt3ReiQCxefTL6dKIm5ypxQNajBofSVI23qL2a12GmBpBQYCZLBk3aQlnycIDRcf4WbyTaDNJjkzkDSb/pH4UozxaonA/z1LNmL6zZ9jBO5sGr78R8++CGzUJ6zjdzFcnIljjVF2w=

Mahalo, Chris! Your confirmation is much appreciated (especially as it
means one less issue for us to deal with in the short term :P )

Aloha,
-baron

On Mon, Oct 16, 2017 at 04:33:50AM +0000, Hyzer, Chris wrote:
>Yes, using 1.9.2 to mitigate that. You could put an apache config to only
>allow the admin ui from certain ip addresses... the new ui and lite ui do
>not use struts...
>
>You know no one will say don't worry about security :)
>
>Thanks
>Chris
>
>-----Original Message-----
>From: Baron Fujimoto
>[mailto:]
>
>Sent: Friday, October 13, 2017 7:42 PM
>To: Hyzer, Chris
><>;
> Grouper Users
><>
>Subject: Re: [grouper-users] Grouper's use of Apache Struts
>
>Apologies for possibly beating a dead horse, but can anyone confirm that
>Grouper is using the features available in BeanUtils 1.9.2 to mitigate
>CVE-2014-0114?
>
>Without positive confirmation, we'll probably have to firewall off our
>Grouper to limit exposure, which we'd obviously rather avoid if
>unnecessary.
>
>It doesn't seem like anyone else seems particularly concerned about this
>that we've noticed. Are we overreacting?
>
>Aloha,
>-baron
>
>On Wed, Sep 27, 2017 at 07:41:13PM +0000, Baron Fujimoto wrote:
>>Mahalo for the responses. For clarification, does the use of beanutils
>>1.9.2 which provides for the suppression of properties, including "class"
>>mean that this vulnerability is actually mitigated in Grouper?
>>
>>It actually seems a little ambiguous, since the BEANUTILS-463 issue
>>indicates that the issue is addressable in BeanUtils 1.9.2, but
>>CVE-2014-0114 implicates beanutils versions "through 1.9.2". I'm assuming
>>the BEANUTILS-463 is correct and that the CVE-2014-0114 advisory could be
>>more clearly or accurately worded, but confirmation would be helpful.
>>
>>Thanks also for the roadmap/timeline for Grouper's plans for Struts going
>>forward.
>>
>>On Wed, Sep 27, 2017 at 03:36:52PM +0000, Hyzer, Chris wrote:
>>>Yes 1.2.4
>>>Yes the manifest is a reliable way to get the version
>>>We use beanutils 1.9.2: https://issues.apache.org/jira/browse/BEANUTILS-463
>>>Struts is only in UI, not WS
>>>We are trying to get struts out of Grouper by the end of the calendar
>>>year...
>>>
>>>Thanks
>>>Chris
>>>
>>>-----Original Message-----
>>>From:
>>>
>>>
>>>[mailto:]
>>> On Behalf Of Baron Fujimoto
>>>Sent: Tuesday, September 26, 2017 11:05 PM
>>>To: Grouper Users
>>><>
>>>Subject: [grouper-users] Grouper's use of Apache Struts
>>>
>>>Due to the recent high profile Equifax breach attributed to
>>>vulnerabilities in Apache Struts, use of Struts within our organization
>>>has come under scrutiny. It would help us to address concerns if these
>>>questions could be answered.
>>>
>>>It's our understanding that Grouper is not subject to recently announced
>>>vulnerabilities in Struts, e.g. CVE-2017-5638
>>><https://nvd.nist.gov/vuln/detail/CVE-2017-5638>, because they apply to
>>>older version of Struts 2, whereas Grouper uses Struts v1.
>>>
>>>How can you tell specifically which version of Struts is being used in a
>>>Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
>>>
>>>Specification-Title: Struts Framework
>>>Specification-Vendor: The Apache Software Foundation
>>>Specification-Version: 1.2.4
>>>
>>>Is this a reliable way to get the version information?
>>>
>>>Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
>>>
>>>The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
>>>brought to our attention that Struts 1 is implicated in CVE-2014-0114
>>><https://nvd.nist.gov/vuln/detail/CVE-2014-0114>. Our Google-fu failed to
>>>turn up anything about this in the Grouper context. Has this risk been
>>>assessed for Grouper?
>>>
>>>If called for, would the mitigation strategy described here work with
>>>Grouper, or is there perhaps a fly in the ointment?
>>><https://devcentral.f5.com/articles/mitigating-the-apache-struts-classloader-manipulation-vulnerabilities-using-asm>
>>>
>>>It's also been pointed out to us that Struts 1 itself was EOL as of
>>>2013-04. Per their announcement, should a major security problem or a
>>>serious bug reported for Struts 1, no new releases or fixes fixes may be
>>>expected. <https://struts.apache.org/struts1eol-announcement.html>
>>>
>>>Given this, what is Grouper's future with regard to its use of Struts?

--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum



Archive powered by MHonArc 2.6.19.

Top of Page