drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Omernik <j...@omernik.com>
Subject Re: Does Drill Use Apache Struts
Date Fri, 08 Sep 2017 14:41:16 GMT
Also, thank you for the pointer to the pom.xml

On Fri, Sep 8, 2017 at 9:41 AM, John Omernik <john@omernik.com> wrote:

> So, I thought I was clear that it was unverified, but I also I am in cyber
> security research, and this is what is being discussed in closed circles. I
> agree, it may not be just struts, it's not spreading rumors to say, this
> struts vulnerability is serious, and it's something that should be
> considered in a massive breech like this. Also, as with most security
> incidents, it is likely only a part of the story. It could be SQLi and it
> could be Struts and it could be both or neither. To imply it was unrelated
> SQLi is just as presumptuous as saying it was struts. Some folks are
> talking about attackers using Struts to get to a zone where SQLi was
> possible.  I will be clear(er): I have not verified that Equifax is wholly
> struts, or even related to Struts, but my fear right now is focused on open
> source projects that may use Struts and I think this is legitimate. Putting
> it into context, I want to learn more how to ensure vulnerabilities in one
> project/library are handled from a cascading point of view.
>
> John
>
> On Fri, Sep 8, 2017 at 9:15 AM, Bob Rudis <bob@rud.is> wrote:
>
>> Equifax was likely unrelated SQL injection. Don't spread rumors.
>>
>> Struts had yet-another-remote exploit (three of 'em, actually).
>>
>> I do this for a living (cybersecurity research).
>>
>> Drill is not impacted which can be verified by looking at dependencies
>> in https://github.com/apache/drill/blob/master/pom.xml
>>
>> On Fri, Sep 8, 2017 at 10:12 AM, John Omernik <john@omernik.com> wrote:
>> > Rumors are pointing to it being related to the Equifax breech (no
>> > confirmation from me on that, just seeing it referenced as a
>> possibility)
>> >
>> > http://thehackernews.com/2017/09/apache-struts-vulnerability.html
>> >
>> >
>> >
>> >
>> > On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning <ted.dunning@gmail.com>
>> wrote:
>> >
>> >> Almost certainly not.
>> >>
>> >> What issues are you referring to? I don't follow struts.
>> >>
>> >>
>> >> On Sep 8, 2017 16:00, "John Omernik" <john@omernik.com> wrote:
>> >>
>> >> Hey all, given the recent issues related to Struts, can we confirm that
>> >> Drill doesn't use this Apache component for anything? I am not good
>> enough
>> >> at code reviews to see what may be used.
>> >>
>> >> John
>> >>
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message