perfSONAR User Q&A and Other Discussion

[Matt Vander Werf <>]

Hi Andy,

Great! Thanks! I didn't think it was being used but thought I'd ask anyways!

I haven't been able to determine what URL it is finding the vulnerability at yet, so at this time, I don't have any info to provide. I'll let you know if I discover any details though.

Thanks!

--

Matt Vander Werf
HPC System Administrator
University of Notre Dame
Center for Research Computing - Union Station
506 W. South Street
South Bend, IN 46601

Phone: (574) 631-0692

On Tue, Apr 25, 2017 at 12:06 PM, Andrew Lake <> wrote:

Hi,

We don’t use Apache Struts for anything. Not sure what the scanner gives you, but if there is a particular URL or similar its telling you it thinks is pointing at a struts app let me know and we can maybe at least try to figure out what triggered it. 

Thanks,

Andy

On April 25, 2017 at 11:53:17 AM, Matt Vander Werf () wrote:

Our vulnerability scanner we use to scan our public IP space weekly is showing a vulnerability related to Apache Struts [1][2] on our systems running the perfSONAR Toolkit (latest v4.0).

I was unable to find any indication that Apache Struts was being used for anything in the toolkit, but I thought I'd ask just to make sure. So far my findings seem to indicate that this is a false-positive. We installed the toolkit using the ISO for CentOS 6.

Can anyone confirm whether or not Apache Struts is being used for anything in the toolkit?

Thanks.

[1] https://blog.qualys.com/securitylabs/2017/03/14/apache-struts-cve-2017-5638-vulnerability-and-the-qualys-solution
[2] https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

--

Matt Vander Werf