struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chunduru, Krishnachaithanya" <Krishnachaithanya.Chund...@broadridge.com>
Subject RE: Apache Struts Vulnerability - CVE-2017-9791
Date Mon, 24 Jul 2017 07:36:11 GMT
Hi Lukasz,

Thanks for the prompt response. 

I was referring to Apache version we have i.e., 2.4.10. 

I'm not sure how to check the struts version we are having.  As you mentioned 2.5.x series
is not affected where and how to check this version on server, I tried googling these issues
but it was of very little help.

I was also trying to check for the other vulnerabilities that are present in 1.1 version.
Once again thanks for the help.

Regards,
Krishna


-----Original Message-----
From: Lukasz Lenart [mailto:lukaszlenart@apache.org] 
Sent: Monday, July 24, 2017 12:53 PM
To: Struts Users Mailing List
Subject: Re: Apache Struts Vulnerability - CVE-2017-9791

2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya
<Krishnachaithanya.Chunduru@broadridge.com>:

> Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

I assume you meant 2.5.10 as there is no such version as 2.4.10. And as stated in the description
2.5.x series isn't affected as it doesn't ship with the Struts 1 plugin, only Struts 2.3.x
can be affected

http://struts.apache.org/docs/s2-048.html

> I tired checking in the MANIFEST.MF file, where is the implementation version shows v.1.1.
how to resolve this issue, can we upgrade the struts? Thank you.

Looks like you are running the previous version of Struts, version 1.1 which isn't affected
by the vulnerability (but there are other vulnerabilities which affect this version).


Regards
--
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


This message and any attachments are intended only for the use of the addressee and may contain
information that is privileged and confidential. If the reader of the message is not the intended
recipient or an authorized representative of the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by e-mail and delete the message
and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Mime
View raw message