Re: Security Vulnerability for Struts 1.3.10 in Struts 2.x

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Anu,

On 4/28/16 6:34 PM, Anu Krishna Rajamohan wrote:
> As Apache Struts 1.x is pretty old and it suffers from many
> security vulnerabilities, I decided to use a recent version of
> Apache Struts 2.x (Struts 2.3.24.1). However, I find that
> struts-core-1.3.10 jar is present in struts 2.x. Can you please let
> me know if the presence of this jar makes Struts 2.x vulnerable to
> security issues such as CVE-2012-1007 
> .

It's worth pointing out that CVE-2012-1007 specifically is an XSS
vulnerability in the Struts example web application. There is really
no need to ever deploy that application anywhere but a dev server
playground.

The presence of the JAR does not deploy this examples web application,
so you won't be vulnerable to CVE-2012-1007 unless you really try hard
to expose yourself.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXMgFhAAoJEBzwKT+lPKRYrp4P/i/DZpt5A8XQJbu3hPQrgcPJ
bxCWuFTAgIP/02p7Buqq4om2eHFIZf3OUsXv/xaUseW31ffPwelM5XeOdCLZnbfW
/V/56FZg4/EKVZXpeFjX+0yRrr+qLI1XSkXd68Y1fQ/ryEEED70qtyiL8sIYgYrx
FG/cytCRaweqZuzToBqEbNG52R4/iRpPr9sybEhFjPZtqHUixuVXd4Ab4/CtPnca
U2OacetX5+YzAGkR3wDImQr6iB5qaBJG5z9GX7DuhVOV5Tgla6CF/Cks5SUSfDk1
N9grhaz0h6y3J4YVss1BjUU+66MuyGMy2lHMJUBy30CROqXKZBRUkTlE9g/5OQUT
D1H5dZauQ3lu1pfAvd+vE4TLHXzW85KbyfeXYsp/tv17N9cWhstdmNnr/o68IErQ
WPkUxlcK3woS2ku9jbYnY2ioIZSTlrllzzBEz92EBTqyERnN0c2TqE2dzYlexDdN
9JemuDJjgKa1DDzNXP9UGcOp5d5vGP3Z7kDmIwtW+o+UqLl0imnLJlTQvN/6yE+I
W/Mxr/U52f5Vj7diBoLihGqeUkb13I0yy0FHm2kIOnpvnZTTSa17hHqF6JvD8U8b
MQ1qDVWOAn6z+lmEnWYN0ifKwECzzEfLYV532lPS2AZpz6UPlckU/S0sEyXAKo5Z
Lsfw4B5VHt9O0CnFEnPv
=D7AM
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

[ANN] Apache Struts 2.5 GA release available

[Lukasz Lenart]

The Apache Struts group is pleased to announce that Struts 2.5 is
available as a “General Availability” release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time. Apache Struts 2 is an elegant,
extensible framework for creating enterprise-ready Java web
applications. The framework is designed to streamline the full
development cycle, from building, to deploying, to maintaining
applications over time.

This release contains several breaking changes and improvements just
to mention few of them:

- XWork source was merged into Struts Core source, it means that there
be no more xwork artifact nor dedicated jar
- Spring dependency for tests and spring plugin was upgraded to
version 4.1.6, see WW-4510.
- Struts2 internal logging api was marked as deprecated and was
replaced with new Log4j2 api as logging layer, see WW-4504.
- Struts2 is now build with JDK7, see WW-4503.
- New plugin to support bean validation is now part of the
distribution, see WW-4505.
- Deprecated plugins are now removed from the distribution and are not
longer supported anymore.
- - Dojo Plugin
- - Codebehind Plugin
- - JSF Plugin
- - Struts1 Plugin
- New security option was added - Strict Method Invocation (also known
as Strict DMI), see WW-4540
- Added support for latest stable AngularJS in Maven archetype, see WW-4522
- Dropped support for id and name - replaced with var, see WW-2069
- Dedicated archive with a minimal set of dependencies was introduced,
see WW-4570
- It is possible to use multiple names when defining a result, see WW-4590
- Rest plugin honors Accept header, see WW-4588
- New result ‘JSONActionRedirectResult’ in json-plugin was defined, see WW-4591
- Tiles plugin was upgrade to the latest Tiles 3 and tiles3-plugin was
dropped, see WW-4584
- JasperReports plugins was upgraded to JasperReport 6.0, see WW-4381
- OGNL was upgraded to version 3.1.4 and it breaks access to
properties as it follows Java Bean Specification, see WW-4207 and
WW-3909
- Annotations to configure Tiles, see WW-4594 and Tiles Plugin

and many other improvements, please check the version notes

Struts 2.5 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts-ga

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.5.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java SE 7
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 5

The release notes are available online at:
* http://struts.apache.org/docs/version-notes-25.html

Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW


- The Apache Struts group.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org