struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <davelnew...@gmail.com>
Subject Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?
Date Fri, 04 Sep 2015 17:01:20 GMT
It was actually a rebranding of an existing framework, but yep; separate
codebase.

On Fri, Sep 4, 2015 at 12:51 PM, David Gawron <dgawron@us.ibm.com> wrote:

> Dave,
>
> Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I
> assumed it was very unlikely that the same vulnerability existed in Struts
> 1, but I needed to ask.
>
> -Dave-
>
>
>
>
> From:   Dave Newton <davelnewton@gmail.com>
> To:     Struts Users Mailing List <user@struts.apache.org>
> Date:   09/03/2015 05:01 PM
> Subject:        Re: Is the vulnerability documented in CVE-2015-5169 also
> applicable to Struts 1?
>
>
>
> There's no such thing as `devMode` in Struts 1.
>
> Struts 1 vulnerabilities would be in Struts 1 announcements, although with
> the EOL, announcements and fixes may never happen.
>
> Struts 1 and Struts 2 have essentially zero in common.
>
> Dave
>
>
> On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgawron@us.ibm.com> wrote:
>
> > The security bulletin for CVE-2015-5169 (
> > https://struts.apache.org/docs/s2-025.html) only mentions Struts 2.
> Anyone
> > know if the vulnerability also exists in Struts 1 in some form?  I
> realize
> > Struts 1.x are no longer supported and that is why the bulletin doesn't
> > cover those releases.  I grabbed the 1.3.10 code and searched for the
> > devMode property (that property appears to be involved in the
> > vulnerability) and did not find any refs.  Searching for that property
> in
> > 2.x yields lots of references and leads me to believe the devMode
> > functionality was added in Struts 2.  If so, then that is good but not
> > conclusive evidence the vulnerability is not in Struts 1.  I'd
> appreciate
> > hearing  any info others have on CVE-2015-5169 and Struts 1.
> >
> > -Dave-
> >
> >
>
>
> --
> e: davelnewton@gmail.com
> m: 908-380-8699
> s: davelnewton_skype
> t: @dave_newton <https://twitter.com/dave_newton>
> b: Bucky Bits <http://buckybits.blogspot.com/>
> g: davelnewton <https://github.com/davelnewton>
> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
>
>
>
>


-- 
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message