1)The open access created via OGNL expression request to Context is a minor
breach..contact Dave or Lukasz for solution
(at least one of them will plug the hole)
2)If you're a security guy (or gal) start subscribing to CVE bulletins
Oracle *usually* addresses these issues right away and you can read about the
latest vulnerability and ways to mitigate the breach
at
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Bon Chance,Martin > Date: Fri, 18 Jan 2013 12:21:28 -0500
> From: [email protected]
> To: [email protected]
> CC: [email protected]; [email protected]
> Subject: Re: Java security issue vs. struts?
>
> Hello Martin,
>
> I did not find bug report under struts JIRA related to jfreechart.
>
> More details about how I use jfreechart:
> (1) jsp <img src=".action">
> (2) JAVA Action class, generated jsp
> (3) struts.xml specify img size
>
> Hope this info will help others have the same concern :-)
>
> Bon week-end!
> Emi
>
>
> On 01/16/2013 05:39 PM, Martin Gainty wrote:
> >
> > Hi Chris This issue came up on another apache users list I believe there
> > was open access issue to Remote Context Object by OGNL
> > (but i think Lukasz or Dave addressed the issue)..emi..did you see this in
> > Struts Jira? Bon chance,
> > Martin
> > ______________________________________________
> > Note de déni et de confidentialitéCe message est confidentiel et peut être
> > privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons
> > avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle
> > diffusion non autorisée ou la copie de ceci est interdite. Ce message sert
> > à l'information seulement et n'aura pas n'importe quel effet légalement
> > obligatoire. Étant donné que les email peuvent facilement être sujets à la
> > manipulation, nous ne pouvons accepter aucune responsabilité pour le
> > contenu fourni.
> >
>
>
> -------- Original Message --------
> Subject: Re: Java security issue vs. struts?
> Date: Fri, 18 Jan 2013 12:00:31 -0500
> From: Emi Lu <[email protected]>
> Reply-To: [email protected]
> To: Christian Grobmeier <[email protected]>
> CC: Struts Users Mailing List <[email protected]>, Chris Pratt
> <[email protected]>
>
> >> Thank you Chris. Moreover, if I call jfreechart to generate reports through
> >> web applications, it will not be affected, I believe?
> >
> > As long as you do not use Applets to output JFreechart data you should
> > be fine (saying: if you generate images with JFreechart)
>
> (1) My jsp:
> <img src="jfreechart_reportProcessReport.action">
>
> (2) struts.xml
>
> <action name="jfreechart_reportProcessReport" method="jfreechart_report"
> class="ProcessReport">
> <result name="success" type="chart">
> <param name="chart">chart</param>
> <param name="width">1000</param>
> <param name="height">500</param>
> </result>
> </action>
>
>
> (3) My struts java action class (server side):
>
> do:
> ChartFactory.createBarChart3D(){... ...}
>
>
> As a result, due to (1) ~(3) I am safe I believe.
>
> Thanks a lot for all your comments!
> Emi
>
>
>
> >>> <mailto:[email protected]>
> >>> For additional commands, e-mail: [email protected]
> >>> <mailto:[email protected]>
> >>>
> >>>
> >>
> >>
> >> --
> >> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
> >> [email protected] +1 514 848-2424 x5884
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [email protected]
> >> For additional commands, e-mail: [email protected]
> >>
> >
> >
>
>
> --
> Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
> [email protected] +1 514 848-2424 x5884
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
