Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Apache Struts Being Used?

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Apache Struts Being Used?


Chronological Thread 
  • From: Andrew Lake <>
  • To: Matt Vander Werf <>,
  • Subject: Re: [perfsonar-user] Apache Struts Being Used?
  • Date: Tue, 25 Apr 2017 12:06:29 -0400
  • Ironport-phdr: 9a23:tKHmNRemTRgftiDC0VQT3HEplGMj4u6mDksu8pMizoh2WeGdxcuzZR7h7PlgxGXEQZ/co6odzbGH7ea8AydRvN6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52LRi6twrcutcZjYZmKqs61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzoBOjUk8m/Yl9Zwgbpbrh2jqRxxxIHbbo+WOvRjYK3SYcgXSnBdUstLTSFMGJ+wYokJAuEcPehYtY79p14WoBaiAwmjGfnvxSFGh3Tr26M1yechHh/b1wEnBd0OtmnbrdXuOagMSuC51q/Iwivfb/5P3zr29YbGchckof6WXLJwd9LcxlM1FwPeklWft5DqPzOT1uQMr2eU9fBsWv6oi24isw1xuyWvyd0oiojJnYIZ0EzL9SJ8wIszONa2S1Z7bMa5HJdOtCyWLYV7TtktTm11oio3y74LtYa5cSUF0pgr2gDTZvydf4WL7B/vTuScLSt+iXl4YrywnQyy/lKlyuDkVsm7zlJKri1dn9nCqH8A2Qbf6sycRft55Euh1jGP1x7L5uFFJ0A7i7bbJoY8zrIulZcfq0rOEjX5lUnrlqObd0Yp9vCt6+v9Y7XmopGcN5VzigH7KqkhgMq/Dvk4MwUVQWeb4v6w1Lv98k3lWLlKlOE5krHFsJDGIsQWvra5DBFP0oYt8Ba/CDGm384CnXUeMVJFYwyIj5LyNlHKIfD4Fuu/g0+ynDtxxvDGOKHhDYvXLnjFjrjhYahx51RCxwUu0NAMr65TX5QIPO67ZEb3uNHCRiA0KQL8l+P5AdNx25kBcWSDRKKVLfWW+UeF/Ow0JO+FfsoIozvnA/kj+/P0i3IlwxkQcbT684EQbSWRGPh8LlrRRXPvj59VGGEGryIzV6rshUHUAm0bXGq7Q69pvmJzM4mhF4qWHo0=
Hi,

We don’t use Apache Struts for anything. Not sure what the scanner gives you, but if there is a particular URL or similar its telling you it thinks is pointing at a struts app let me know and we can maybe at least try to figure out what triggered it. 

Thanks,
Andy



On April 25, 2017 at 11:53:17 AM, Matt Vander Werf () wrote:

Our vulnerability scanner we use to scan our public IP space weekly is showing a vulnerability related to Apache Struts [1][2] on our systems running the perfSONAR Toolkit (latest v4.0).

I was unable to find any indication that Apache Struts was being used for anything in the toolkit, but I thought I'd ask just to make sure. So far my findings seem to indicate that this is a false-positive. We installed the toolkit using the ISO for CentOS 6.

Can anyone confirm whether or not Apache Struts is being used for anything in the toolkit?

Thanks.

[1] https://blog.qualys.com/securitylabs/2017/03/14/apache-struts-cve-2017-5638-vulnerability-and-the-qualys-solution
[2] https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

--
Matt Vander Werf

Archive powered by MHonArc 2.6.19.

Top of Page