Struts vulnerabilities
30 views
Skip to first unread message
Paul Hoffman
Sep 12, 2017, 9:17:51 AM9/12/17
to irplus
We're still running several instances of IR+ 2.0.8 and 2.1; should we be concerned about the two Struts vulnerabilities discovered this year?
http://struts.apache.org/docs/s2-052.html ("RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests")
http://struts.apache.org/docs/s2-053.html ("RCE attack is possible when developer is using wrong construction in Freemarker tag")
Thanks,
Paul.
--
Paul Hoffman <pa...@flo.org>
Software Manager
Fenway Libraries Online
http://www.flo.org/
http://struts.apache.org/docs/s2-052.html ("RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests")
http://struts.apache.org/docs/s2-053.html ("RCE attack is possible when developer is using wrong construction in Freemarker tag")
Thanks,
Paul.
--
Paul Hoffman <pa...@flo.org>
Software Manager
Fenway Libraries Online
http://www.flo.org/
Paul Hoffman
Sep 12, 2017, 9:27:10 AM9/12/17
to irplus
Following up to my own post with a naive Java question...
Can we upgrade to the latest versions of struts2-core and struts2-spring-plugin simply by replacing the old JAR files in WEB-INF? If so, I see where to download the former but not the latter -- any ideas?
The last time I tried to upgrade something by editing ivy.xml and rebuilding, the build failed -- fortunately, that wasn't a problem at the time, but I would really like to just shuffle some files around rather than doing a full rebuild if that's possible.
Thanks again,
Can we upgrade to the latest versions of struts2-core and struts2-spring-plugin simply by replacing the old JAR files in WEB-INF? If so, I see where to download the former but not the latter -- any ideas?
The last time I tried to upgrade something by editing ivy.xml and rebuilding, the build failed -- fortunately, that wasn't a problem at the time, but I would really like to just shuffle some files around rather than doing a full rebuild if that's possible.
Thanks again,
Nathan Sarr
Sep 12, 2017, 9:54:11 AM9/12/17
to irp...@googlegroups.com
Hi Paul,
If you decide to try upgrading again I’ve been keeping the following branch up to date:
You should be able to get the struts2-spring-plugin jar here:
Best,
-Nate
--
You received this message because you are subscribed to the Google Groups "irplus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irplus+un...@googlegroups.com.
To post to this group, send email to irp...@googlegroups.com.
Visit this group at https://groups.google.com/group/irplus.
For more options, visit https://groups.google.com/d/optout.
Paul Hoffman
Oct 12, 2017, 10:21:31 AM10/12/17
to irplus
Nate,
Thanks. Can we upgrade to the latest versions of struts2-core and struts2-spring-plugin simply by replacing the old JAR files in WEB-INF?
Paul.
Thanks. Can we upgrade to the latest versions of struts2-core and struts2-spring-plugin simply by replacing the old JAR files in WEB-INF?
Paul.
nate...@gmail.com
Oct 12, 2017, 11:25:50 PM10/12/17
to irp...@googlegroups.com
Hi Paul,
I believe so - but I can’t say for sure you would have to test. If you run into any issues you could check the differences in the files that have errors and make tweaks as required.
-Nate
Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages