Re: Does Drill Use Apache Struts

2017-09-08 Thread Ted Dunning
What a mess! I would tend to use a stronger word for that in private. A "more technical", if you will. On Sep 8, 2017 16:12, "John Omernik" wrote: > Rumors are pointing to it being related to the Equifax breech (no > confirmation from me on that, just seeing it referenced as

Re: Does Drill Use Apache Struts

2017-09-08 Thread Bob Rudis
(This is primarily for John, but may be of use to a broader set of folks) OWASP's straightforward-yet-uncreatively-named "DependencyCheck" tool may be worth looking into. I haven't had to run it in a while (thankfully I work in R most of the time

Re: Does Drill Use Apache Struts

2017-09-08 Thread Bob Rudis
I personally haven't had the cycles to do a thorough appsec review of the main web interface, the REST interface, access controls or encryption tools, but I also only run Drill on private AWS instances or on personal servers / systems, so it hasn't been a huge priority for me. I would encourage

Re: Does Drill Use Apache Struts

2017-09-08 Thread Saurabh Mahapatra
Thanks John, all. I think this discussion thread is important. As a community member, I learn so much by reading these threads. Since you work in cyber security research, are there specific things we should think about from a security standpoint for Drill? I know that we have a REST API and

Re: Does Drill Use Apache Struts

2017-09-08 Thread John Omernik
Also, thank you for the pointer to the pom.xml On Fri, Sep 8, 2017 at 9:41 AM, John Omernik wrote: > So, I thought I was clear that it was unverified, but I also I am in cyber > security research, and this is what is being discussed in closed circles. I > agree, it may not be

Re: Does Drill Use Apache Struts

2017-09-08 Thread John Omernik
So, I thought I was clear that it was unverified, but I also I am in cyber security research, and this is what is being discussed in closed circles. I agree, it may not be just struts, it's not spreading rumors to say, this struts vulnerability is serious, and it's something that should be

Re: Does Drill Use Apache Struts

2017-09-08 Thread Bob Rudis
Equifax was likely unrelated SQL injection. Don't spread rumors. Struts had yet-another-remote exploit (three of 'em, actually). I do this for a living (cybersecurity research). Drill is not impacted which can be verified by looking at dependencies in

Re: Does Drill Use Apache Struts

2017-09-08 Thread John Omernik
Rumors are pointing to it being related to the Equifax breech (no confirmation from me on that, just seeing it referenced as a possibility) http://thehackernews.com/2017/09/apache-struts-vulnerability.html On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning wrote: > Almost

Re: Does Drill Use Apache Struts

2017-09-08 Thread Ted Dunning
Almost certainly not. What issues are you referring to? I don't follow struts. On Sep 8, 2017 16:00, "John Omernik" wrote: Hey all, given the recent issues related to Struts, can we confirm that Drill doesn't use this Apache component for anything? I am not good enough at

Does Drill Use Apache Struts

2017-09-08 Thread John Omernik
Hey all, given the recent issues related to Struts, can we confirm that Drill doesn't use this Apache component for anything? I am not good enough at code reviews to see what may be used. John