Foros de discusión
Vulnerability of Apache Struts
Shin Sameshima, modificado hace 9 años.
Vulnerability of Apache Struts
New Member Mensajes: 11 Fecha de incorporación: 3/08/13 Mensajes recientes
Hi everybody,
Is Vulnerability of Apache Struts affected to Liferay 6.2 ?
--------------
Vulnerability Details :
Announcements
http://struts.apache.org/announce.html
Security Bulletins S2-020
http://struts.apache.org/release/2.3.x/docs/s2-020.html
Security Bulletins S2-021
http://struts.apache.org/release/2.3.x/docs/s2-021.html
CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
CVE-2014-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
CVE-2014-0113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0113
-------------
Regards
Shin Sameshima
Is Vulnerability of Apache Struts affected to Liferay 6.2 ?
--------------
Vulnerability Details :
Announcements
http://struts.apache.org/announce.html
Security Bulletins S2-020
http://struts.apache.org/release/2.3.x/docs/s2-020.html
Security Bulletins S2-021
http://struts.apache.org/release/2.3.x/docs/s2-021.html
CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
CVE-2014-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
CVE-2014-0113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0113
-------------
Regards
Shin Sameshima
James Falkner, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientesShin Sameshima:
Hi everybody,
Is Vulnerability of Apache Struts affected to Liferay 6.2 ?
--------------
Vulnerability Details :
Announcements
http://struts.apache.org/announce.html
Security Bulletins S2-020
http://struts.apache.org/release/2.3.x/docs/s2-020.html
Security Bulletins S2-021
http://struts.apache.org/release/2.3.x/docs/s2-021.html
CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
CVE-2014-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
CVE-2014-0113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0113
-------------
Regards
Shin Sameshima
Nope, Liferay 6.2 uses Struts 1.x, so not affected.
Shin Sameshima, modificado hace 9 años.
RE: Vulnerability of Apache Struts
New Member Mensajes: 11 Fecha de incorporación: 3/08/13 Mensajes recientes
Thank you for your quick reply.
But this is reported by some website that Struts1 in all versions is affected by a ClassLoader manipulation vulnerability similar to a recently fixed vulnerability in Struts 2.
This is a different flaw. Please refer CVE-2014-0114 in regards to this issue.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Regards
But this is reported by some website that Struts1 in all versions is affected by a ClassLoader manipulation vulnerability similar to a recently fixed vulnerability in Struts 2.
This is a different flaw. Please refer CVE-2014-0114 in regards to this issue.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Regards
David H Nebinger, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 14919 Fecha de incorporación: 2/09/06 Mensajes recientes
Yeah, James is incorrect that struts 1 is not affected.
Unfortunately Struts 1 is also EOL'd by Apache, so unless they're planning an emergency patch, a fix from Apache is not forthcoming.
So while I understand staying with Struts 1 for the OOTB portlets (small footprint, minimal framework impact), I guess Liferay is going to have to be responsible for backfilling struts 1 fixes (such as this one) to continue to stay with struts 1...
Unfortunately Struts 1 is also EOL'd by Apache, so unless they're planning an emergency patch, a fix from Apache is not forthcoming.
So while I understand staying with Struts 1 for the OOTB portlets (small footprint, minimal framework impact), I guess Liferay is going to have to be responsible for backfilling struts 1 fixes (such as this one) to continue to stay with struts 1...
Shin Sameshima, modificado hace 9 años.
RE: Vulnerability of Apache Struts
New Member Mensajes: 11 Fecha de incorporación: 3/08/13 Mensajes recientes
Hi! David. Thank you for your kindness comment. Although I guess that it takes a little more time to fix it , I think I want to wait it.
Regard.
Regard.
Samuel Kong, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Liferay Portal is not affected by CVE-2014-0114 because this exploit utilizes ActionForm and Liferay Portal does not use ActionForm out of the box. However, you many be vulnerable if you created a custom portlet that uses ActionForm.
Advait Trivedi, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Junior Member Mensajes: 56 Fecha de incorporación: 30/03/10 Mensajes recientes
Hi Samuel,
I am not sure how do you say that ActionForm is not used by Liferay, I scanned Liferay source code and was able to find out multiple references of ActionForm. Just to point to one such instance com.liferay.portlet.blogs.action.EditEntryAction.processAction(ActionMapping, ActionForm, PortletConfig, ActionRequest, ActionResponse)
Can you please clarify, what you meant when you said Liferay Portal does not use ActionForm?
Thanks,
Advait
I am not sure how do you say that ActionForm is not used by Liferay, I scanned Liferay source code and was able to find out multiple references of ActionForm. Just to point to one such instance com.liferay.portlet.blogs.action.EditEntryAction.processAction(ActionMapping, ActionForm, PortletConfig, ActionRequest, ActionResponse)
Can you please clarify, what you meant when you said Liferay Portal does not use ActionForm?
Thanks,
Advait
Samuel Kong, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Advait,
The ActionForm you see in the code is the result of Liferay exposing Struts' ActionForm to developers. This is why you can use ActionForm in your custom portlets and why you may be vulnerable if you use ActionForm in a custom portlet. However, Liferay Portal does not use ActionForm to implement any out of the box functionality. So, yes, it's there, but Liferay does not use it.
The ActionForm you see in the code is the result of Liferay exposing Struts' ActionForm to developers. This is why you can use ActionForm in your custom portlets and why you may be vulnerable if you use ActionForm in a custom portlet. However, Liferay Portal does not use ActionForm to implement any out of the box functionality. So, yes, it's there, but Liferay does not use it.
Advait Trivedi, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Junior Member Mensajes: 56 Fecha de incorporación: 30/03/10 Mensajes recientes
Hi Samuel,
Appreciate your comments.
But the example which I gave you is directly from Liferay source code, its a Liferay OOB Blog portlet which uses ActionForm. Is it not really apparent ?
Thanks,
Advait
Appreciate your comments.
But the example which I gave you is directly from Liferay source code, its a Liferay OOB Blog portlet which uses ActionForm. Is it not really apparent ?
Thanks,
Advait
Samuel Kong, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Advait,
Yes, it's in the method signature. But we don't use the ActionForm.
Yes, it's in the method signature. But we don't use the ActionForm.
Advait Trivedi, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Junior Member Mensajes: 56 Fecha de incorporación: 30/03/10 Mensajes recientes
Hi Samuel,
I see your point, thanks again for clarifying.
So, can you shed some light on what the patch given by Liferay to EE customers for this issue contains ?
Thanks,
Advait
I see your point, thanks again for clarifying.
So, can you shed some light on what the patch given by Liferay to EE customers for this issue contains ?
Thanks,
Advait
Samuel Kong, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
The patch pretty much follows the recommendation from Apache Struts and filters out "class" parameters.
KC Koh, modificado hace 6 años.
RE: Vulnerability of Apache Struts
New Member Mensajes: 2 Fecha de incorporación: 4/06/10 Mensajes recientesSamuel Kong:
Hi Advait,
Yes, it's in the method signature. But we don't use the ActionForm.
Hi Samuel,
Is it possible to list down the struts classes Liferay actually used, instead of telling what classes are not used?
Regards
KC
Samuel Kong, modificado hace 6 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi KC
I have good news and bad news. The bad news is that I don't have such a list. However, the good news is that Liferay Portal is open source. That means you can just search through the code and put together the list yourself. As a starting point, try searching for "org.apache.struts".
I have good news and bad news. The bad news is that I don't have such a list. However, the good news is that Liferay Portal is open source. That means you can just search through the code and put together the list yourself. As a starting point, try searching for "org.apache.struts".
James Falkner, modificado hace 9 años.
RE: Vulnerability of Apache Struts
Liferay Legend Mensajes: 1399 Fecha de incorporación: 17/09/10 Mensajes recientesShin Sameshima:
Hi! David. Thank you for your kindness comment. Although I guess that it takes a little more time to fix it , I think I want to wait it.
Regard.
Hey Shin, so we have issued an alert for this issue - thanks for bringing it to our attention! As Sam points out, although Liferay itself isn't affected, some Liferay users may be using the features in Struts that can open them up to vulnerabilities, so we wanted to make an official announcement and document how to workaround it (we are also going to produce a patch for 6.2.1 in the near future).
Shin Sameshima, modificado hace 9 años.
RE: Vulnerability of Apache Struts
New Member Mensajes: 11 Fecha de incorporación: 3/08/13 Mensajes recientes
Hi James. Thank you for your comment. I was relieved that I know Liferay itself not be affected. I use " issued an alert for this issue" posted by Community Security Team as a reference .
regards.
regards.