Foren

  1. Startseite
  2. Development
  3. Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

thumbnail
Orin Fink, geändert vor 7 Jahren.

Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

Junior Member Beiträge: 65 Beitrittsdatum: 25.03.10 Neueste Beiträge
Given the recent exploit news regarding Apache Struts 2 File Uploader, I wanted to ask if there is any concern with this being an issue on Liferay 6.2 GA6?

I've search the code base for any instance of FileUploadInterceptor via Github and nothing was found. However, would still like to hear from others if anybody has found that if this exploit CVE-2017-5638 would affect any version (current or previous) of Liferay.

More information on the Struts exploit:

http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/

and

https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/
thumbnail
David H Nebinger, geändert vor 7 Jahren.

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Liferay Legend Beiträge: 14916 Beitrittsdatum: 02.09.06 Neueste Beiträge
No. Liferay has never adopted Struts 2, only Struts 1.

The only folks that need to be concerned are those that have implemented Struts 2 for their portlets.

In general, the problem is that the code injected with the Struts 2 vulnerability runs with all permissions as the user that launched Tomcat.

Since we are all smart people and we never, ever run tomcat as root and, in fact, always follow the best practice to create an unprivileged user to run our tomcat instance under, even if we were using Struts 2 our systems would be great targets for the hackers to hit - even if they could inject code, it wouldn't be able to do any of the things the hackers are trying to exploit.
thumbnail
Orin Fink, geändert vor 7 Jahren.

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Junior Member Beiträge: 65 Beitrittsdatum: 25.03.10 Neueste Beiträge
Thanks a ton David.
thumbnail
David H Nebinger, geändert vor 7 Jahren.

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Liferay Legend Beiträge: 14916 Beitrittsdatum: 02.09.06 Neueste Beiträge
Yeah, just trying to inject a little humor.

It does carry a lesson for us though. If you are running your app server as root, it's really something you want to look at. We never know what the next vulnerability is going to be, but if your app server is not running as an escalated user account your system will be less vulnerable to attack.

If I'm running Struts 2 and using a totally non-privileged account (like I can only write to logs, temp and that's it), I'd feel fine with running struts 2.