drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Omernik <j...@omernik.com>
Subject Re: Does Drill Use Apache Struts
Date Fri, 08 Sep 2017 14:41:03 GMT
So, I thought I was clear that it was unverified, but I also I am in cyber
security research, and this is what is being discussed in closed circles. I
agree, it may not be just struts, it's not spreading rumors to say, this
struts vulnerability is serious, and it's something that should be
considered in a massive breech like this. Also, as with most security
incidents, it is likely only a part of the story. It could be SQLi and it
could be Struts and it could be both or neither. To imply it was unrelated
SQLi is just as presumptuous as saying it was struts. Some folks are
talking about attackers using Struts to get to a zone where SQLi was
possible.  I will be clear(er): I have not verified that Equifax is wholly
struts, or even related to Struts, but my fear right now is focused on open
source projects that may use Struts and I think this is legitimate. Putting
it into context, I want to learn more how to ensure vulnerabilities in one
project/library are handled from a cascading point of view.


On Fri, Sep 8, 2017 at 9:15 AM, Bob Rudis <bob@rud.is> wrote:

> Equifax was likely unrelated SQL injection. Don't spread rumors.
> Struts had yet-another-remote exploit (three of 'em, actually).
> I do this for a living (cybersecurity research).
> Drill is not impacted which can be verified by looking at dependencies
> in https://github.com/apache/drill/blob/master/pom.xml
> On Fri, Sep 8, 2017 at 10:12 AM, John Omernik <john@omernik.com> wrote:
> > Rumors are pointing to it being related to the Equifax breech (no
> > confirmation from me on that, just seeing it referenced as a possibility)
> >
> > http://thehackernews.com/2017/09/apache-struts-vulnerability.html
> >
> >
> >
> >
> > On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning <ted.dunning@gmail.com>
> wrote:
> >
> >> Almost certainly not.
> >>
> >> What issues are you referring to? I don't follow struts.
> >>
> >>
> >> On Sep 8, 2017 16:00, "John Omernik" <john@omernik.com> wrote:
> >>
> >> Hey all, given the recent issues related to Struts, can we confirm that
> >> Drill doesn't use this Apache component for anything? I am not good
> enough
> >> at code reviews to see what may be used.
> >>
> >> John
> >>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message