Re: Java security issue vs. struts?
Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? As long as you do not use Applets to output JFreechart data you should be fine (saying: if you generate images with JFreechart) (1) My jsp: img src=jfreechart_reportProcessReport.action (2) struts.xml action name=jfreechart_reportProcessReport method=jfreechart_report class=ProcessReport result name=success type=chart param name=chartchart/param param name=width1000/param param name=height500/param /result /action (3) My struts java action class (server side): do: ChartFactory.createBarChart3D(){... ...} As a result, due to (1) ~(3) I am safe I believe. Thanks a lot for all your comments! Emi - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
Hello Martin, I did not find bug report under struts JIRA related to jfreechart. More details about how I use jfreechart: (1) jsp img src=.action (2) JAVA Action class, generated jsp (3) struts.xml specify img size Hope this info will help others have the same concern :-) Bon week-end! Emi On 01/16/2013 05:39 PM, Martin Gainty wrote: Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL (but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance, Martin __ Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Original Message Subject: Re: Java security issue vs. struts? Date: Fri, 18 Jan 2013 12:00:31 -0500 From: Emi Lu em...@encs.concordia.ca Reply-To: em...@encs.concordia.ca To: Christian Grobmeier grobme...@gmail.com CC: Struts Users Mailing List user@struts.apache.org, Chris Pratt thechrispr...@gmail.com Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? As long as you do not use Applets to output JFreechart data you should be fine (saying: if you generate images with JFreechart) (1) My jsp: img src=jfreechart_reportProcessReport.action (2) struts.xml action name=jfreechart_reportProcessReport method=jfreechart_report class=ProcessReport result name=success type=chart param name=chartchart/param param name=width1000/param param name=height500/param /result /action (3) My struts java action class (server side): do: ChartFactory.createBarChart3D(){... ...} As a result, due to (1) ~(3) I am safe I believe. Thanks a lot for all your comments! Emi mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Java security issue vs. struts?
1)The open access created via OGNL expression request to Context is a minor breach..contact Dave or Lukasz for solution (at least one of them will plug the hole) 2)If you're a security guy (or gal) start subscribing to CVE bulletins Oracle *usually* addresses these issues right away and you can read about the latest vulnerability and ways to mitigate the breach at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Bon Chance,Martin Date: Fri, 18 Jan 2013 12:21:28 -0500 From: em...@encs.concordia.ca To: user@struts.apache.org CC: mgai...@hotmail.com; thechrispr...@gmail.com Subject: Re: Java security issue vs. struts? Hello Martin, I did not find bug report under struts JIRA related to jfreechart. More details about how I use jfreechart: (1) jsp img src=.action (2) JAVA Action class, generated jsp (3) struts.xml specify img size Hope this info will help others have the same concern :-) Bon week-end! Emi On 01/16/2013 05:39 PM, Martin Gainty wrote: Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL (but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance, Martin __ Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Original Message Subject: Re: Java security issue vs. struts? Date: Fri, 18 Jan 2013 12:00:31 -0500 From: Emi Lu em...@encs.concordia.ca Reply-To: em...@encs.concordia.ca To: Christian Grobmeier grobme...@gmail.com CC: Struts Users Mailing List user@struts.apache.org, Chris Pratt thechrispr...@gmail.com Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? As long as you do not use Applets to output JFreechart data you should be fine (saying: if you generate images with JFreechart) (1) My jsp: img src=jfreechart_reportProcessReport.action (2) struts.xml action name=jfreechart_reportProcessReport method=jfreechart_report class=ProcessReport result name=success type=chart param name=chartchart/param param name=width1000/param param name=height500/param /result /action (3) My struts java action class (server side): do: ChartFactory.createBarChart3D(){... ...} As a result, due to (1) ~(3) I am safe I believe. Thanks a lot for all your comments! Emi mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/**technetwork/topics/security/** alert-cve-2013-0422-1896849.**htmlhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --**--**- To unsubscribe, e-mail: user-unsubscribe@struts.**apache.orguser-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
On 01/16/2013 04:54 PM, Emi Lu wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html One more link: http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/ For example, would struts2-jfreechart considered as java-app run through web browser? Emi - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
On 01/16/2013 05:02 PM, Chris Pratt wrote: I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? Emi On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca mailto:em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --__--__- To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Java security issue vs. struts?
Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL (but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance, Martin __ Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Wed, 16 Jan 2013 17:12:13 -0500 From: em...@encs.concordia.ca To: thechrispr...@gmail.com CC: user@struts.apache.org Subject: Re: Java security issue vs. struts? On 01/16/2013 05:02 PM, Chris Pratt wrote: I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? Emi On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca mailto:em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --__--__- To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
... Where does Struts 2 run? In the browser, or on a server? Dave On Wed, Jan 16, 2013 at 5:06 PM, Emi Lu em...@encs.concordia.ca wrote: On 01/16/2013 04:54 PM, Emi Lu wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/**technetwork/topics/security/** alert-cve-2013-0422-1896849.**htmlhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html One more link: http://nakedsecurity.sophos.**com/2013/01/15/disable-java-** browsers-homeland-security/http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/ For example, would struts2-jfreechart considered as java-app run through web browser? Emi --**--**- To unsubscribe, e-mail: user-unsubscribe@struts.**apache.orguser-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- e: davelnew...@gmail.com m: 908-380-8699 s: davelnewton_skype t: @dave_newton https://twitter.com/dave_newton b: Bucky Bits http://buckybits.blogspot.com/ g: davelnewton https://github.com/davelnewton so: Dave Newton http://stackoverflow.com/users/438992/dave-newton
Re: Java security issue vs. struts?
On Wed, Jan 16, 2013 at 11:12 PM, Emi Lu em...@encs.concordia.ca wrote: On 01/16/2013 05:02 PM, Chris Pratt wrote: I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? As long as you do not use Applets to output JFreechart data you should be fine (saying: if you generate images with JFreechart) Emi On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca mailto:em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --__--__- To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- http://www.grobmeier.de https://www.timeandbill.de - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org