Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper's use of Apache Struts

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper's use of Apache Struts

Chronological Thread 
  • From: Baron Fujimoto <>
  • To: "Hyzer, Chris" <>
  • Cc: Grouper Users <>
  • Subject: Re: [grouper-users] Grouper's use of Apache Struts
  • Date: Mon, 16 Oct 2017 13:24:04 -1000
  • Ironport-phdr: 9a23:8wnlgBFYp0hE0gkDKPRBlp1GYnF86YWxBRYc798ds5kLTJ7zoM2wAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95fWSJBHI2ycogBD+QOMulEsobypVUBoACiBQWwHu7j1iNEi2Xo0aA8zu8vERvG3AslH98WrXnbts/1NKAUUeuozKfI0DfDb/JT2Tf69IjIdQ0qrPaXUr1qa8rRzk8vGhjFjlqKp43qJTKV1uUXv2eF8uVgSPuihmg6oA9/pTivw90jiojPho8N0F/E7T92z5o1JdKmUkJ7ZsSkEJRWuiqHNIV2WtsvT39ptSomyLALvJC7cSsRx5g7whPSZOCLf5SW7R/mSOmdPTd1iXdgdb6hiRu/8FCsxvDiWsS3ylpGsyhInsTWunwQzRDf9M6KQeZn8Ei7wzaAzQXT5/lEIU8qkarbLIYswrsqmZoStUTPBzf2mErqgKOPeUQo5Oal5uX9brXpoZ+cMIB0igXgPag0hsO/BuE4PhAPX2id5+u8yKXu8VP4TblWjPA7l6fZvZPBKsgHo6O0DBNZ3po95Bu6EziqzNQVkHwCIV5bdh+KjpDlO1TUL/D5Cfe/jU6skDBux/3eJbLuGI/NLn/FkLr6fbZy8UBdxxAyzdBe/Z5bFKwOIO/rVk/rqNPYFgM5MxCzw+v/B9V9zIQeWX+XAqCHKqPeqEKI5vkxLOmWf48YozL9K/k+5/7yln81h0URfaiv3ZsLdn+4BPJmLFuFYXbymNsOD3oFvhdtBNDt3ReiQCxefTL6dKIm5ypxQNajBofSVI23qL2a12GmBpBQYCZLBk3aQlnycIDRcf4WbyTaDNJjkzkDSb/pH4UozxaonA/z1LNmL6zZ9jBO5sGr78R8++CGzUJ6zjdzFcnIljjVF2w=

Mahalo, Chris! Your confirmation is much appreciated (especially as it
means one less issue for us to deal with in the short term :P )


On Mon, Oct 16, 2017 at 04:33:50AM +0000, Hyzer, Chris wrote:
>Yes, using 1.9.2 to mitigate that. You could put an apache config to only
>allow the admin ui from certain ip addresses... the new ui and lite ui do
>not use struts...
>You know no one will say don't worry about security :)
>-----Original Message-----
>From: Baron Fujimoto
>Sent: Friday, October 13, 2017 7:42 PM
>To: Hyzer, Chris
> Grouper Users
>Subject: Re: [grouper-users] Grouper's use of Apache Struts
>Apologies for possibly beating a dead horse, but can anyone confirm that
>Grouper is using the features available in BeanUtils 1.9.2 to mitigate
>Without positive confirmation, we'll probably have to firewall off our
>Grouper to limit exposure, which we'd obviously rather avoid if
>It doesn't seem like anyone else seems particularly concerned about this
>that we've noticed. Are we overreacting?
>On Wed, Sep 27, 2017 at 07:41:13PM +0000, Baron Fujimoto wrote:
>>Mahalo for the responses. For clarification, does the use of beanutils
>>1.9.2 which provides for the suppression of properties, including "class"
>>mean that this vulnerability is actually mitigated in Grouper?
>>It actually seems a little ambiguous, since the BEANUTILS-463 issue
>>indicates that the issue is addressable in BeanUtils 1.9.2, but
>>CVE-2014-0114 implicates beanutils versions "through 1.9.2". I'm assuming
>>the BEANUTILS-463 is correct and that the CVE-2014-0114 advisory could be
>>more clearly or accurately worded, but confirmation would be helpful.
>>Thanks also for the roadmap/timeline for Grouper's plans for Struts going
>>On Wed, Sep 27, 2017 at 03:36:52PM +0000, Hyzer, Chris wrote:
>>>Yes 1.2.4
>>>Yes the manifest is a reliable way to get the version
>>>We use beanutils 1.9.2:
>>>Struts is only in UI, not WS
>>>We are trying to get struts out of Grouper by the end of the calendar
>>>-----Original Message-----
>>> On Behalf Of Baron Fujimoto
>>>Sent: Tuesday, September 26, 2017 11:05 PM
>>>To: Grouper Users
>>>Subject: [grouper-users] Grouper's use of Apache Struts
>>>Due to the recent high profile Equifax breach attributed to
>>>vulnerabilities in Apache Struts, use of Struts within our organization
>>>has come under scrutiny. It would help us to address concerns if these
>>>questions could be answered.
>>>It's our understanding that Grouper is not subject to recently announced
>>>vulnerabilities in Struts, e.g. CVE-2017-5638
>>><>, because they apply to
>>>older version of Struts 2, whereas Grouper uses Struts v1.
>>>How can you tell specifically which version of Struts is being used in a
>>>Grouper deployment? I dug this out of the UI's struts.jar MANIFEST:
>>>Specification-Title: Struts Framework
>>>Specification-Vendor: The Apache Software Foundation
>>>Specification-Version: 1.2.4
>>>Is this a reliable way to get the version information?
>>>Is the only place Grouper uses Struts in the UI? Not, say, by the WS?
>>>The assumed non-vulnerablity to CVE-2017-5638 notwithstanding, it was
>>>brought to our attention that Struts 1 is implicated in CVE-2014-0114
>>><>. Our Google-fu failed to
>>>turn up anything about this in the Grouper context. Has this risk been
>>>assessed for Grouper?
>>>If called for, would the mitigation strategy described here work with
>>>Grouper, or is there perhaps a fly in the ointment?
>>>It's also been pointed out to us that Struts 1 itself was EOL as of
>>>2013-04. Per their announcement, should a major security problem or a
>>>serious bug reported for Struts 1, no new releases or fixes fixes may be
>>>expected. <>
>>>Given this, what is Grouper's future with regard to its use of Struts?

Baron Fujimoto
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

Archive powered by MHonArc 2.6.19.

Top of Page