drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Saurabh Mahapatra <saurabhmahapatr...@gmail.com>
Subject Re: Does Drill Use Apache Struts
Date Fri, 08 Sep 2017 15:28:53 GMT
Thanks John, all. I think this discussion thread is important. As a community member, I learn
so much by reading these threads. 

Since you work in cyber security research, are there specific things we should think about
from a security standpoint for Drill? 

I know that we have a REST API and I am sure there are web apps being built around it. Are
there vulnerabilities that we need to be aware of? How can we advise users about this?

Thoughts? 

Best,
Saurabh 

Sent from my iPhone



> On Sep 8, 2017, at 7:41 AM, John Omernik <john@omernik.com> wrote:
> 
> Also, thank you for the pointer to the pom.xml
> 
>> On Fri, Sep 8, 2017 at 9:41 AM, John Omernik <john@omernik.com> wrote:
>> 
>> So, I thought I was clear that it was unverified, but I also I am in cyber
>> security research, and this is what is being discussed in closed circles. I
>> agree, it may not be just struts, it's not spreading rumors to say, this
>> struts vulnerability is serious, and it's something that should be
>> considered in a massive breech like this. Also, as with most security
>> incidents, it is likely only a part of the story. It could be SQLi and it
>> could be Struts and it could be both or neither. To imply it was unrelated
>> SQLi is just as presumptuous as saying it was struts. Some folks are
>> talking about attackers using Struts to get to a zone where SQLi was
>> possible.  I will be clear(er): I have not verified that Equifax is wholly
>> struts, or even related to Struts, but my fear right now is focused on open
>> source projects that may use Struts and I think this is legitimate. Putting
>> it into context, I want to learn more how to ensure vulnerabilities in one
>> project/library are handled from a cascading point of view.
>> 
>> John
>> 
>>> On Fri, Sep 8, 2017 at 9:15 AM, Bob Rudis <bob@rud.is> wrote:
>>> 
>>> Equifax was likely unrelated SQL injection. Don't spread rumors.
>>> 
>>> Struts had yet-another-remote exploit (three of 'em, actually).
>>> 
>>> I do this for a living (cybersecurity research).
>>> 
>>> Drill is not impacted which can be verified by looking at dependencies
>>> in https://github.com/apache/drill/blob/master/pom.xml
>>> 
>>>> On Fri, Sep 8, 2017 at 10:12 AM, John Omernik <john@omernik.com> wrote:
>>>> Rumors are pointing to it being related to the Equifax breech (no
>>>> confirmation from me on that, just seeing it referenced as a
>>> possibility)
>>>> 
>>>> http://thehackernews.com/2017/09/apache-struts-vulnerability.html
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning <ted.dunning@gmail.com>
>>> wrote:
>>>> 
>>>>> Almost certainly not.
>>>>> 
>>>>> What issues are you referring to? I don't follow struts.
>>>>> 
>>>>> 
>>>>> On Sep 8, 2017 16:00, "John Omernik" <john@omernik.com> wrote:
>>>>> 
>>>>> Hey all, given the recent issues related to Struts, can we confirm that
>>>>> Drill doesn't use this Apache component for anything? I am not good
>>> enough
>>>>> at code reviews to see what may be used.
>>>>> 
>>>>> John
>>>>> 
>>> 
>> 
>> 

Mime
View raw message