Well thread dump is here https://drive.google.com/file/d/0B5oeFmSS7h7EczdXMEF3eXRBSlk/edit?usp=sharing
Let me know if im missing something. thanks ! Leonardo Saludos.- Leonardo Santagostini <http://ar.linkedin.com/in/santagostini> 2014-05-05 9:34 GMT-03:00 Leonardo Santagostini <lsantagost...@gmail.com>: > Hello all, sorry for the late, but i was in holiday from wednesday. > > Ok, i make a ticket to developers for upgrading strus. They told me that > will work on that. > > So, i will keep in touch with the news =) > > Again, thanks all for all the support you give me. > > Regards, > Leonardo > > Saludos.- > Leonardo Santagostini > > <http://ar.linkedin.com/in/santagostini> > > > > > > 2014-05-01 18:48 GMT-03:00 Christopher Schultz < > ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Cédric, >> >> On 5/1/14, 10:00 AM, Cédric Couralet wrote: >> > 2014-04-30 19:07 GMT+02:00 Christopher Schultz >> > <ch...@christopherschultz.net >> >> : >> > >> > Leonardo, >> > >> > On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: >> >>>> Im uploading mi logfiles so it will be available when >> >>>> finished uploading. >> > >> > Remember to get a thread dump while Runtime.exec() is running. >> > >> > You should copy the script /tmp/4.sh somewhere else so you have a >> > copy in case the attacker tries to clean-up after themselves. >> > That's certainly what's doing the evil work. >> > >> > You could probably set up iptables or something to restrict >> > outgoing requests so that the attack can't progress across your >> > network. >> > >> >>>> Regarding the configuration, its working in two other sites >> >>>> without problem, and there is no problem putting L4 balancing >> >>>> with haproxy. >> >>>> >> >>>> I have asked developers about that exploit, still without >> >>>> answer. >> > >> > You appear to be using struts2 2.1.8, which is in the range of >> > versions vulnerable to this bug. There is a workaround that you >> > can probably apply: >> > http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the >> > last section on this page). >> > >> >> Of course, the vulnerability doesn't allow you to simply inject >> >> code >> > or anything like that: you can certainly mess-around with code that >> > is already available on the site, though. >> > >> > >> >> I think the S2-021 can be used to inject code. There is a POC >> >> circulating proving it. That said, this struts version (2.1.8) is >> >> also vulnerable to >> >> http://struts.apache.org/release/2.3.x/docs/s2-016.html which >> >> permits code execution very easily. >> >> Ouch. Yeah, there's always that ;) >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJTYsE7AAoJEBzwKT+lPKRYwqUP/1E6TUIJq618bPN0KzzvQbC4 >> Hny9racWUoNKFayWa9Xz/uWbQvXADyPnjO9q1BhcZW4TMyBTTksSUo33JAy567Sn >> tspV1ldMdOcL+y7KQUNJb9VJI9CV5h2nkeoaZacm8qmg9fZUqTihhz+qRC/U9JMa >> iJGKlLYIjvzPFrTXsoFnGl9yT54JAXvDf8aJPiSimD1Mu78KXCRhhterIH5QscI1 >> qstciSIllaSeq6EccM7b9hH4tEEXT/PwjiEoV1zSzxP01XT1qPnxtyRtNhWxer2p >> MDzDEimTNVshy9ilXa3MTBZh9hLcp3uEsUqmgSQyLAeLEKEEqQcsOkpQHfn9JOQQ >> ZXJVvhM1PuM4YsMoRcenu5Otdc5AUPh31b614Mc1NBtFRj/DVARWCU1u0Rb+mTTW >> HsNeRhmTfGp09x2NCokW2ncMV+coytjUwbfPGZ2yQAIZCC8k9EAxI942cKzsBVdU >> J7Ch3J9EEy0WxEiX8zDrHjNWWwmRBf0BexEQqnnCgQCMWAoVjRcPo75LChY60uDP >> vvB5Z/iGtbfFSwKEPVvYJhDzMJm3tlxVVdhmT+nejig6S4vdhAY/yDIxnNUm7waE >> IEJ7xtN5Ev3XLxT1fR34kw3n+0aRXiWyZzMTr2gTyf6C/Y9moz0wPyliBz0qKh67 >> hEEF98sa1D+pfJC5FGdj >> =ZJPK >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
