掲示板

  1. ホーム
  2. Development
  3. Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

thumbnail
7年前 に Orin Fink によって更新されました。

Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

Junior Member 投稿: 65 参加年月日: 10/03/25 最新の投稿
Given the recent exploit news regarding Apache Struts 2 File Uploader, I wanted to ask if there is any concern with this being an issue on Liferay 6.2 GA6?

I've search the code base for any instance of FileUploadInterceptor via Github and nothing was found. However, would still like to hear from others if anybody has found that if this exploit CVE-2017-5638 would affect any version (current or previous) of Liferay.

More information on the Struts exploit:

http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/

and

https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/
thumbnail
7年前 に David H Nebinger によって更新されました。

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿
No. Liferay has never adopted Struts 2, only Struts 1.

The only folks that need to be concerned are those that have implemented Struts 2 for their portlets.

In general, the problem is that the code injected with the Struts 2 vulnerability runs with all permissions as the user that launched Tomcat.

Since we are all smart people and we never, ever run tomcat as root and, in fact, always follow the best practice to create an unprivileged user to run our tomcat instance under, even if we were using Struts 2 our systems would be great targets for the hackers to hit - even if they could inject code, it wouldn't be able to do any of the things the hackers are trying to exploit.
thumbnail
7年前 に Orin Fink によって更新されました。

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Junior Member 投稿: 65 参加年月日: 10/03/25 最新の投稿
Thanks a ton David.
thumbnail
7年前 に David H Nebinger によって更新されました。

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿
Yeah, just trying to inject a little humor.

It does carry a lesson for us though. If you are running your app server as root, it's really something you want to look at. We never know what the next vulnerability is going to be, but if your app server is not running as an escalated user account your system will be less vulnerable to attack.

If I'm running Struts 2 and using a totally non-privileged account (like I can only write to logs, temp and that's it), I'd feel fine with running struts 2.