struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Gawron" <dgaw...@us.ibm.com>
Subject Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?
Date Fri, 04 Sep 2015 16:51:27 GMT
Dave,

Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I 
assumed it was very unlikely that the same vulnerability existed in Struts 
1, but I needed to ask.

-Dave-




From:   Dave Newton <davelnewton@gmail.com>
To:     Struts Users Mailing List <user@struts.apache.org>
Date:   09/03/2015 05:01 PM
Subject:        Re: Is the vulnerability documented in CVE-2015-5169 also 
applicable to Struts 1?



There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.

Dave


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgawron@us.ibm.com> wrote:

> The security bulletin for CVE-2015-5169 (
> https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. 
Anyone
> know if the vulnerability also exists in Struts 1 in some form?  I 
realize
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property 
in
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd 
appreciate
> hearing  any info others have on CVE-2015-5169 and Struts 1.
>
> -Dave-
>
>


-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message