Re: Apache Struts Vulnerability - CVE-2017-9791
2017-07-24 10:57 GMT+02:00 Chunduru, Krishnachaithanya: > I was referring to the Apache Webserver 2.4.10 running in our environment. but you still need a Servlet container, e.g. Tomcat or Jetty or other to run a Struts based app. > Can you please let me know how to check the current Struts version I'm using. As you already did, by checking the MANIFEST file which says you are using Struts 1.1 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Apache Struts Vulnerability - CVE-2017-9791
Sorry, I might have confused it. I was referring to the Apache Webserver 2.4.10 running in our environment. Can you please let me know how to check the current Struts version I'm using. Regards, Krishna -Original Message- From: Lukasz Lenart [mailto:lukaszlen...@apache.org] Sent: Monday, July 24, 2017 1:16 PM To: Struts Users Mailing List Subject: Re: Apache Struts Vulnerability - CVE-2017-9791 2017-07-24 9:36 GMT+02:00 Chunduru, Krishnachaithanya <krishnachaithanya.chund...@broadridge.com>: > I was referring to Apache version we have i.e., 2.4.10. There is no such version of Struts -> http://struts.apache.org/downloads.html Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Re: Apache Struts Vulnerability - CVE-2017-9791
2017-07-24 9:36 GMT+02:00 Chunduru, Krishnachaithanya: > I was referring to Apache version we have i.e., 2.4.10. There is no such version of Struts -> http://struts.apache.org/downloads.html Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Apache Struts Vulnerability - CVE-2017-9791
Hi Lukasz, Thanks for the prompt response. I was referring to Apache version we have i.e., 2.4.10. I'm not sure how to check the struts version we are having. As you mentioned 2.5.x series is not affected where and how to check this version on server, I tried googling these issues but it was of very little help. I was also trying to check for the other vulnerabilities that are present in 1.1 version. Once again thanks for the help. Regards, Krishna -Original Message- From: Lukasz Lenart [mailto:lukaszlen...@apache.org] Sent: Monday, July 24, 2017 12:53 PM To: Struts Users Mailing List Subject: Re: Apache Struts Vulnerability - CVE-2017-9791 2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya <krishnachaithanya.chund...@broadridge.com>: > Can someone please confirm if Apache 2.4.10 is vulnerable to the > CVE-2017-9791. I assume you meant 2.5.10 as there is no such version as 2.4.10. And as stated in the description 2.5.x series isn't affected as it doesn't ship with the Struts 1 plugin, only Struts 2.3.x can be affected http://struts.apache.org/docs/s2-048.html > I tired checking in the MANIFEST.MF file, where is the implementation version > shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you. Looks like you are running the previous version of Struts, version 1.1 which isn't affected by the vulnerability (but there are other vulnerabilities which affect this version). Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Apache Struts Vulnerability - CVE-2017-9791
2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya: > Can someone please confirm if Apache 2.4.10 is vulnerable to the > CVE-2017-9791. I assume you meant 2.5.10 as there is no such version as 2.4.10. And as stated in the description 2.5.x series isn't affected as it doesn't ship with the Struts 1 plugin, only Struts 2.3.x can be affected http://struts.apache.org/docs/s2-048.html > I tired checking in the MANIFEST.MF file, where is the implementation version > shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you. Looks like you are running the previous version of Struts, version 1.1 which isn't affected by the vulnerability (but there are other vulnerabilities which affect this version). Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org