Also, thank you for the pointer to the pom.xml On Fri, Sep 8, 2017 at 9:41 AM, John Omernik <j...@omernik.com> wrote:
> So, I thought I was clear that it was unverified, but I also I am in cyber > security research, and this is what is being discussed in closed circles. I > agree, it may not be just struts, it's not spreading rumors to say, this > struts vulnerability is serious, and it's something that should be > considered in a massive breech like this. Also, as with most security > incidents, it is likely only a part of the story. It could be SQLi and it > could be Struts and it could be both or neither. To imply it was unrelated > SQLi is just as presumptuous as saying it was struts. Some folks are > talking about attackers using Struts to get to a zone where SQLi was > possible. I will be clear(er): I have not verified that Equifax is wholly > struts, or even related to Struts, but my fear right now is focused on open > source projects that may use Struts and I think this is legitimate. Putting > it into context, I want to learn more how to ensure vulnerabilities in one > project/library are handled from a cascading point of view. > > John > > On Fri, Sep 8, 2017 at 9:15 AM, Bob Rudis <b...@rud.is> wrote: > >> Equifax was likely unrelated SQL injection. Don't spread rumors. >> >> Struts had yet-another-remote exploit (three of 'em, actually). >> >> I do this for a living (cybersecurity research). >> >> Drill is not impacted which can be verified by looking at dependencies >> in https://github.com/apache/drill/blob/master/pom.xml >> >> On Fri, Sep 8, 2017 at 10:12 AM, John Omernik <j...@omernik.com> wrote: >> > Rumors are pointing to it being related to the Equifax breech (no >> > confirmation from me on that, just seeing it referenced as a >> possibility) >> > >> > http://thehackernews.com/2017/09/apache-struts-vulnerability.html >> > >> > >> > >> > >> > On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning <ted.dunn...@gmail.com> >> wrote: >> > >> >> Almost certainly not. >> >> >> >> What issues are you referring to? I don't follow struts. >> >> >> >> >> >> On Sep 8, 2017 16:00, "John Omernik" <j...@omernik.com> wrote: >> >> >> >> Hey all, given the recent issues related to Struts, can we confirm that >> >> Drill doesn't use this Apache component for anything? I am not good >> enough >> >> at code reviews to see what may be used. >> >> >> >> John >> >> >> > >
