struts 1.3 vulnerabilities
148 views
Skip to first unread message
Berkoff, Alexis (Alex) (Contractor, eDataTech)
Jan 20, 2021, 1:42:25 PM1/20/21
to kc.techni...@kuali.org
Hello all.
First post to this group this year!
I was wondering if anyone can share migration approaches / strategies your school took to get struts 1.3.10 => 2.x.
Any details on pitfalls to watch out for would be helpful as well.
Thanks!
First post to this group this year!
I was wondering if anyone can share migration approaches / strategies your school took to get struts 1.3.10 => 2.x.
Any details on pitfalls to watch out for would be helpful as well.
Thanks!
Ronald Gouldner
Jan 20, 2021, 3:22:04 PM1/20/21
to Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
Happy New Year Alexis,
What is the vulnerability ? We are using struts "1.3.11-kuali-1" whatever that is.
Perhaps that is your solution. A quick search for Struts 1.3 vulnerabilities only finds issues with 1.3.10.
I wonder what they changed in 1.3.11 when they created kuali-1 version. Perhaps it is just a fix for this vulnerability. No documentation anywhere that I can find. I never noticed they modified this code and it's not a part of the repo's. I think I will download the sources jar and save in case we lose access to the kuali nexus repository.
It's strange though. Search for 1.3.11 finds a snapshop release
But according to the struts page 1.3.10 was the last version.
Might have to diff the 1.3.10 source with the kuali 1.3.11 version and see what they did.
I downloaded the source jar for 1.3.11 but there is very little in it compared to what's in the apache source for 1.3.10 so it's going to also be a puzzle to see what they actually did.
If 1.3.11-kuali-1 still has issues let me know if you find a solution to move to 2.X.
Hope all is well with you.
Ron
--
To unsubscribe from this group and stop receiving emails from it, send an email to kc.technical.co...@kuali.org.
Eric Westfall
Jan 20, 2021, 4:00:56 PM1/20/21
to Ronald Gouldner, Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
I suspect this is likely the version released from this codebase:
See the commits on October 11, 2016 for what was fixed, the code changes, and relevant CVEs:
Hope that's helpful :)
Eric
Ken Geis
Jan 20, 2021, 4:30:59 PM1/20/21
to Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
If you really wanted to move to Struts2, it's different enough from Struts1 that I would probably move to something still similar and more current like Spring MVC, or something completely different. My team may take the latter approach over time, and we're still thinking on it.
Ken
--
To unsubscribe from this group and stop receiving emails from it, send an email to kc.technical.co...@kuali.org.
--
Ken Geis (he/him/his)
Acting Director, IT
Research Administration and Compliance
University of California, Berkeley
LinkedIn | rac.berkeley.edu | berkeley.edu
Research Administration and Compliance
University of California, Berkeley
LinkedIn | rac.berkeley.edu | berkeley.edu
Ronald Gouldner
Jan 20, 2021, 4:37:28 PM1/20/21
to Eric Westfall, Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
Eric,
Thanks I didn't realize we still had access to the kuali github as a non-member.
I wonder why the version was changed from 1.3.10 to 1.3.11-kuali-1 instead of just 1.3.10-kuali-1 which would have been less confusing since it is just 1.3.10 with some kuali tweeks. Looks like it doesn't address the vulnerability if I am reading the comments correctly. It seems CVE-2016-1181 and CVE-2016-1182 were addressed but not CVE-2018-11776.
Ron
Eric Westfall
Jan 20, 2021, 5:26:01 PM1/20/21
to Ronald Gouldner, Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
It's likely because according to maven version number ordering that 1.3.10-kuali-1 would be considered "older" than 1.3.10 (since it is using a qualifier): https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN400
And yes, I think Ken is right, there is not really a turnkey conversion from Struts 1.x to 2.x without rewriting things.
Thanks,
Eric
Eric Westfall
Jan 20, 2021, 5:31:28 PM1/20/21
to Ronald Gouldner, Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
I should add, given that Struts 2 is a different codebase from Struts1, the CVE you reference (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776) only mentions Struts 2.3 and 2.5 as being affected so wouldn't apply to Struts 1.3. That doesn't mean there aren't other vulnerabilities in Struts 1.3 but they probably aren't being found or tracked anymore given that Struts 1 had its last release in December of 2008 ;)
Eric
Ronald Gouldner
Jan 20, 2021, 5:31:45 PM1/20/21
to Eric Westfall, Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
Thanks, that’s interesting. I didn’t know that. Makes sense now. We have always appended -uh to Kuali version numbers to identify our changed version. Never had an issue so that. I didn’t know technically it qualified as an older version with the extension.
Any idea what Kuali plans to do to address this vulnerability? Sounds like no good options. 1.3.10 is EOL and 2.x is difficult conversion.
Ronald Gouldner
Jan 20, 2021, 5:36:00 PM1/20/21
to Eric Westfall, Berkoff, Alexis (Alex) (Contractor, eDataTech), kc.techni...@kuali.org
That's good to hear. I didn't know which vulnerability Alex was referring to, so perhaps it was just the two that were addressed in the 1.3.11-Kuali-1 version. I agree it doesn't mean there are no vulnerabilities since no longer tracking but nothing you can really do about that. Thanks for all the helpful info!
Reply all
Reply to author
Forward
0 new messages