Please upgrade your OneBusAway Instances!
117 views
Skip to first unread message
Sheldon A. Brown
Mar 10, 2017, 8:14:33 AM3/10/17
to onebusaway...@googlegroups.com
A recent Apache Struts vulnerability has left current OneBusAway
installations incredibly vulnerable.
See https://cwiki.apache.org/confluence/display/WW/S2-045
I have upgraded struts and cut a new version: 1.1.16
tag: onebusaway-application-modules-1.1.16
If you are running a fork of OneBusAway please changes
<struts-version> in /pom.xml:
<properties>
<struts-version>2.3.32</struts-version>
...
</properties>
and rebuild and redeploy.
I'm happy to answer any follow on questions either publicly or privately.
Thanks,
Sheldon
installations incredibly vulnerable.
See https://cwiki.apache.org/confluence/display/WW/S2-045
I have upgraded struts and cut a new version: 1.1.16
tag: onebusaway-application-modules-1.1.16
If you are running a fork of OneBusAway please changes
<struts-version> in /pom.xml:
<properties>
<struts-version>2.3.32</struts-version>
...
</properties>
and rebuild and redeploy.
I'm happy to answer any follow on questions either publicly or privately.
Thanks,
Sheldon
Sheldon A. Brown
Mar 14, 2017, 11:56:10 AM3/14/17
to onebusaway...@googlegroups.com
To be clear --
this is confirmed to affect all modules that use struts, even if the
fileUpload portion isn't in use. So plan to upgrade everything to be
safe.
Thanks,
Sheldon
this is confirmed to affect all modules that use struts, even if the
fileUpload portion isn't in use. So plan to upgrade everything to be
safe.
Thanks,
Sheldon
Ed Fleisc
Apr 12, 2017, 10:54:36 AM4/12/17
to onebusaway-developers
We have a test installation that is working well. Upgrading to struts 2.3.32 breaks it though.
We changed the struts version back and forth several times, and version 2.3.32 never works. When we use the version 2.3.32 whenever a client tries to connect the following error shows at the server console and no stops are retrieved. The client side gets a message "check your internet connection". As of now we can't upgrade.
SEVERE: Exception starting filter struts-execute
java.lang.ClassNotFoundException: org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1285)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119)
at org.apache.catalina.core.DefaultInstanceManager.loadClass(DefaultInstanceManager.java:511)
at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:492)
at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:118)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:258)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:105)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4590)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5233)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1409)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
2.3.32
We changed the struts version back and forth several times, and version 2.3.32 never works. When we use the version 2.3.32 whenever a client tries to connect the following error shows at the server console and no stops are retrieved. The client side gets a message "check your internet connection". As of now we can't upgrade.
SEVERE: Exception starting filter struts-execute
java.lang.ClassNotFoundException: org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1285)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119)
at org.apache.catalina.core.DefaultInstanceManager.loadClass(DefaultInstanceManager.java:511)
at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:492)
at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:118)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:258)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:105)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4590)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5233)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1409)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
2.3.32
Sheldon A. Brown
Apr 12, 2017, 11:25:26 AM4/12/17
to onebusaway...@googlegroups.com
Thanks Ed --
did you run `mvn package` after changing the struts version? And did
you verify the struts libraries are inside the war file at
WEB-INF/lib/struts-*?
It sounds after making the configuration change your war did not build
properly...
Sheldon
> --
> You received this message because you are subscribed to the Google Groups
> "onebusaway-developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to onebusaway-devel...@googlegroups.com.
> To post to this group, send email to onebusaway...@googlegroups.com.
> Visit this group at https://groups.google.com/group/onebusaway-developers.
> For more options, visit https://groups.google.com/d/optout.
did you run `mvn package` after changing the struts version? And did
you verify the struts libraries are inside the war file at
WEB-INF/lib/struts-*?
It sounds after making the configuration change your war did not build
properly...
Sheldon
> You received this message because you are subscribed to the Google Groups
> "onebusaway-developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to onebusaway-devel...@googlegroups.com.
> To post to this group, send email to onebusaway...@googlegroups.com.
> Visit this group at https://groups.google.com/group/onebusaway-developers.
> For more options, visit https://groups.google.com/d/optout.
Ed Fleisc
Apr 12, 2017, 3:55:23 PM4/12/17
to onebusaway-developers
You nailed it! That was exactly the problem. I did clean and rebuilt the project, but using Eclipse, which did not update the struts libraries.
I used: mvn package -Dmaven.test.skip=true (I had to skip tests or it wouldn't work)..
Maven downloaded all required libraries and it is working well now..
Thank you!
I used: mvn package -Dmaven.test.skip=true (I had to skip tests or it wouldn't work)..
Maven downloaded all required libraries and it is working well now..
Thank you!
Sheldon A. Brown
Apr 12, 2017, 4:05:10 PM4/12/17
to onebusaway...@googlegroups.com
Great! Glad I could help.
Sheldon
Sheldon
Reply all
Reply to author
Forward
0 new messages