From user-return-8438-apmail-drill-user-archive=drill.apache.org@drill.apache.org Fri Sep 8 14:41:30 2017 Return-Path: X-Original-To: apmail-drill-user-archive@www.apache.org Delivered-To: apmail-drill-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EEFFE19842 for ; Fri, 8 Sep 2017 14:41:29 +0000 (UTC) Received: (qmail 26884 invoked by uid 500); 8 Sep 2017 14:41:29 -0000 Delivered-To: apmail-drill-user-archive@drill.apache.org Received: (qmail 26805 invoked by uid 500); 8 Sep 2017 14:41:28 -0000 Mailing-List: contact user-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@drill.apache.org Delivered-To: mailing list user@drill.apache.org Received: (qmail 26793 invoked by uid 99); 8 Sep 2017 14:41:27 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Sep 2017 14:41:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 5080E1A78D5 for ; Fri, 8 Sep 2017 14:41:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.479 X-Spam-Level: ** X-Spam-Status: No, score=2.479 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=omernik-com.20150623.gappssmtp.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id etoB9Ck4bC76 for ; Fri, 8 Sep 2017 14:41:25 +0000 (UTC) Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id C01075FB96 for ; Fri, 8 Sep 2017 14:41:24 +0000 (UTC) Received: by mail-it0-f47.google.com with SMTP id c195so2764890itb.1 for ; Fri, 08 Sep 2017 07:41:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omernik-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=PvEWrkUIhrLVKFTwwxlEu3GBjn+yVE4nBtR1/STyQOY=; b=G05AMo/ULM00O+5686BxALgkJOmWR6ASQad8ztO1oHbjUpNspN4ko9tViHV1gDxaxC z3h3kGxrAv70hUfr7SOn5iWWUfnf4OZvZY+pzeAtwBO49DW1bw7tIsRfToCElpBxFgti ByaUgxVuYW4fm8mnQ6LDXLHUSd9anaSh4LfDR4gGL1jlztbONPL0B2Pi4qh5qEkGBiXc hbj/SsHKpYGRNckSRMgZywTMnmpUx1JPq9KrdR7WuZFUxwdMDPhSPs7RIjaVEo+RhN8x no8tWkjg4L3lQfixlKZl4Aw9oq+Yf7J3FJzTd24Pf0Z2blBqfXbK4Y4KqC6n0HKhZdV+ X0vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=PvEWrkUIhrLVKFTwwxlEu3GBjn+yVE4nBtR1/STyQOY=; b=HiVnWcmpj57ChamPEd8bVo5wOwvsu6MpN+AY7jvZZO5bPcYISw102bWkWJfUEZmuV3 Xffc/92r9xUmYu4D1oWdroWX5v9yYlY6c5in4m2tX6FZNfpCb5MMlddlEdkdoZ1MzJmp j7lsy7wK7tRfUfSDltJRiNUewyn5n53l58sb/5FjVO9IOBJ8bV6f3EDpDawzg9HHfeDg hNPpgHo9lS/n0td22kdSwIhFhbGfrrnuMFhv9CaU9ouPza8wOW2ux1MKOsBiyCQohAD7 EuaV0k8lbAN267QFLZhZip8jBh/F/f0sRiiCu59sPVivYv8mDjmwzlORTn8//miNK+mz GuVQ== X-Gm-Message-State: AHPjjUg8Ioq/3tHlj8BnQOrZNDARznebGwdQ/Q6acmnkyki9X8C70XBK P6/APOWpbEmqqfYuSpSRF1GCxFi2L84DNaU= X-Google-Smtp-Source: ADKCNb6cNPtdNckDLOgbIrxmKoT2ReuDGcQ7+N0SBvjy9oT5yphBeyJDUjo60HVwLEJIdIYLUdn73uWDoWPStgtKvHI= X-Received: by 10.36.173.111 with SMTP id a47mr1301542itj.11.1504881683875; Fri, 08 Sep 2017 07:41:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.180.187 with HTTP; Fri, 8 Sep 2017 07:41:03 -0700 (PDT) In-Reply-To: References: From: John Omernik Date: Fri, 8 Sep 2017 09:41:03 -0500 Message-ID: Subject: Re: Does Drill Use Apache Struts To: user Content-Type: multipart/alternative; boundary="94eb2c1fce683262910558ae929c" --94eb2c1fce683262910558ae929c Content-Type: text/plain; charset="UTF-8" So, I thought I was clear that it was unverified, but I also I am in cyber security research, and this is what is being discussed in closed circles. I agree, it may not be just struts, it's not spreading rumors to say, this struts vulnerability is serious, and it's something that should be considered in a massive breech like this. Also, as with most security incidents, it is likely only a part of the story. It could be SQLi and it could be Struts and it could be both or neither. To imply it was unrelated SQLi is just as presumptuous as saying it was struts. Some folks are talking about attackers using Struts to get to a zone where SQLi was possible. I will be clear(er): I have not verified that Equifax is wholly struts, or even related to Struts, but my fear right now is focused on open source projects that may use Struts and I think this is legitimate. Putting it into context, I want to learn more how to ensure vulnerabilities in one project/library are handled from a cascading point of view. John On Fri, Sep 8, 2017 at 9:15 AM, Bob Rudis wrote: > Equifax was likely unrelated SQL injection. Don't spread rumors. > > Struts had yet-another-remote exploit (three of 'em, actually). > > I do this for a living (cybersecurity research). > > Drill is not impacted which can be verified by looking at dependencies > in https://github.com/apache/drill/blob/master/pom.xml > > On Fri, Sep 8, 2017 at 10:12 AM, John Omernik wrote: > > Rumors are pointing to it being related to the Equifax breech (no > > confirmation from me on that, just seeing it referenced as a possibility) > > > > http://thehackernews.com/2017/09/apache-struts-vulnerability.html > > > > > > > > > > On Fri, Sep 8, 2017 at 9:07 AM, Ted Dunning > wrote: > > > >> Almost certainly not. > >> > >> What issues are you referring to? I don't follow struts. > >> > >> > >> On Sep 8, 2017 16:00, "John Omernik" wrote: > >> > >> Hey all, given the recent issues related to Struts, can we confirm that > >> Drill doesn't use this Apache component for anything? I am not good > enough > >> at code reviews to see what may be used. > >> > >> John > >> > --94eb2c1fce683262910558ae929c--