留言板

  1. 主页
  2. Development
  3. Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

thumbnail
Orin Fink,修改在7 年前。

Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerability?

Junior Member 帖子: 65 加入日期: 10-3-25 最近的帖子
Given the recent exploit news regarding Apache Struts 2 File Uploader, I wanted to ask if there is any concern with this being an issue on Liferay 6.2 GA6?

I've search the code base for any instance of FileUploadInterceptor via Github and nothing was found. However, would still like to hear from others if anybody has found that if this exploit CVE-2017-5638 would affect any version (current or previous) of Liferay.

More information on the Struts exploit:

http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/

and

https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/
thumbnail
David H Nebinger,修改在7 年前。

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Liferay Legend 帖子: 14918 加入日期: 06-9-2 最近的帖子
No. Liferay has never adopted Struts 2, only Struts 1.

The only folks that need to be concerned are those that have implemented Struts 2 for their portlets.

In general, the problem is that the code injected with the Struts 2 vulnerability runs with all permissions as the user that launched Tomcat.

Since we are all smart people and we never, ever run tomcat as root and, in fact, always follow the best practice to create an unprivileged user to run our tomcat instance under, even if we were using Struts 2 our systems would be great targets for the hackers to hit - even if they could inject code, it wouldn't be able to do any of the things the hackers are trying to exploit.
thumbnail
Orin Fink,修改在7 年前。

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Junior Member 帖子: 65 加入日期: 10-3-25 最近的帖子
Thanks a ton David.
thumbnail
David H Nebinger,修改在7 年前。

RE: Any concern with Zero Day CVE-2017-5638 a Struts File Upload Vulnerabil

Liferay Legend 帖子: 14918 加入日期: 06-9-2 最近的帖子
Yeah, just trying to inject a little humor.

It does carry a lesson for us though. If you are running your app server as root, it's really something you want to look at. We never know what the next vulnerability is going to be, but if your app server is not running as an escalated user account your system will be less vulnerable to attack.

If I'm running Struts 2 and using a totally non-privileged account (like I can only write to logs, temp and that's it), I'd feel fine with running struts 2.