Forums de discussion

  1. Accueil
  2. Development
  3. Vulnerability of Apache Struts

Vulnerability of Apache Struts

thumbnail
Shin Sameshima, modifié il y a 9 années.

Vulnerability of Apache Struts

New Member Publications: 11 Date d'inscription: 03/08/13 Publications récentes
Hi everybody,

Is Vulnerability of Apache Struts affected to Liferay 6.2 ?
--------------
Vulnerability Details :

Announcements
http://struts.apache.org/announce.html
Security Bulletins S2-020
http://struts.apache.org/release/2.3.x/docs/s2-020.html
Security Bulletins S2-021
http://struts.apache.org/release/2.3.x/docs/s2-021.html
CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
CVE-2014-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
CVE-2014-0113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0113
-------------

Regards
Shin Sameshima
thumbnail
James Falkner, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1399 Date d'inscription: 17/09/10 Publications récentes
Shin Sameshima:
Hi everybody,

Is Vulnerability of Apache Struts affected to Liferay 6.2 ?
--------------
Vulnerability Details :

Announcements
http://struts.apache.org/announce.html
Security Bulletins S2-020
http://struts.apache.org/release/2.3.x/docs/s2-020.html
Security Bulletins S2-021
http://struts.apache.org/release/2.3.x/docs/s2-021.html
CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
CVE-2014-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
CVE-2014-0113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0113
-------------

Regards
Shin Sameshima


Nope, Liferay 6.2 uses Struts 1.x, so not affected.
thumbnail
Shin Sameshima, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

New Member Publications: 11 Date d'inscription: 03/08/13 Publications récentes
Thank you for your quick reply.
But this is reported by some website that Struts1 in all versions is affected by a ClassLoader manipulation vulnerability similar to a recently fixed vulnerability in Struts 2.
This is a different flaw. Please refer CVE-2014-0114 in regards to this issue.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Regards
thumbnail
David H Nebinger, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 14916 Date d'inscription: 02/09/06 Publications récentes
Yeah, James is incorrect that struts 1 is not affected.

Unfortunately Struts 1 is also EOL'd by Apache, so unless they're planning an emergency patch, a fix from Apache is not forthcoming.

So while I understand staying with Struts 1 for the OOTB portlets (small footprint, minimal framework impact), I guess Liferay is going to have to be responsible for backfilling struts 1 fixes (such as this one) to continue to stay with struts 1...
thumbnail
Shin Sameshima, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

New Member Publications: 11 Date d'inscription: 03/08/13 Publications récentes
Hi! David. Thank you for your kindness comment. Although I guess that it takes a little more time to fix it , I think I want to wait it.

Regard.
thumbnail
Samuel Kong, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
Liferay Portal is not affected by CVE-2014-0114 because this exploit utilizes ActionForm and Liferay Portal does not use ActionForm out of the box. However, you many be vulnerable if you created a custom portlet that uses ActionForm.
Advait Trivedi, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Junior Member Publications: 56 Date d'inscription: 30/03/10 Publications récentes
Hi Samuel,
I am not sure how do you say that ActionForm is not used by Liferay, I scanned Liferay source code and was able to find out multiple references of ActionForm. Just to point to one such instance com.liferay.portlet.blogs.action.EditEntryAction.processAction(ActionMapping, ActionForm, PortletConfig, ActionRequest, ActionResponse)

Can you please clarify, what you meant when you said Liferay Portal does not use ActionForm?

Thanks,
Advait
thumbnail
Samuel Kong, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
Hi Advait,

The ActionForm you see in the code is the result of Liferay exposing Struts' ActionForm to developers. This is why you can use ActionForm in your custom portlets and why you may be vulnerable if you use ActionForm in a custom portlet. However, Liferay Portal does not use ActionForm to implement any out of the box functionality. So, yes, it's there, but Liferay does not use it.
Advait Trivedi, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Junior Member Publications: 56 Date d'inscription: 30/03/10 Publications récentes
Hi Samuel,

Appreciate your comments.
But the example which I gave you is directly from Liferay source code, its a Liferay OOB Blog portlet which uses ActionForm. Is it not really apparent ?

Thanks,
Advait
thumbnail
Samuel Kong, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
Hi Advait,

Yes, it's in the method signature. But we don't use the ActionForm.
Advait Trivedi, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Junior Member Publications: 56 Date d'inscription: 30/03/10 Publications récentes
Hi Samuel,

I see your point, thanks again for clarifying.
So, can you shed some light on what the patch given by Liferay to EE customers for this issue contains ?

Thanks,
Advait
thumbnail
Samuel Kong, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
The patch pretty much follows the recommendation from Apache Struts and filters out "class" parameters.
KC Koh, modifié il y a 6 années.

RE: Vulnerability of Apache Struts

New Member Publications: 2 Date d'inscription: 04/06/10 Publications récentes
Samuel Kong:
Hi Advait,

Yes, it's in the method signature. But we don't use the ActionForm.


Hi Samuel,

Is it possible to list down the struts classes Liferay actually used, instead of telling what classes are not used?

Regards
KC
thumbnail
Samuel Kong, modifié il y a 6 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
Hi KC

I have good news and bad news. The bad news is that I don't have such a list. However, the good news is that Liferay Portal is open source. That means you can just search through the code and put together the list yourself. As a starting point, try searching for "org.apache.struts".
thumbnail
James Falkner, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

Liferay Legend Publications: 1399 Date d'inscription: 17/09/10 Publications récentes
Shin Sameshima:
Hi! David. Thank you for your kindness comment. Although I guess that it takes a little more time to fix it , I think I want to wait it.

Regard.


Hey Shin, so we have issued an alert for this issue - thanks for bringing it to our attention! As Sam points out, although Liferay itself isn't affected, some Liferay users may be using the features in Struts that can open them up to vulnerabilities, so we wanted to make an official announcement and document how to workaround it (we are also going to produce a patch for 6.2.1 in the near future).
thumbnail
Shin Sameshima, modifié il y a 9 années.

RE: Vulnerability of Apache Struts

New Member Publications: 11 Date d'inscription: 03/08/13 Publications récentes
Hi James. Thank you for your comment. I was relieved that I know Liferay itself not be affected. I use " issued an alert for this issue" posted by Community Security Team as a reference .

regards.