struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From song6295@gmail.com <song6...@gmail.com>
Subject Re: Is there a future 2.3.x release for CVE-2018-7489 recently
Date Fri, 30 Mar 2018 10:39:59 GMT
Hi Lukasz, 
Sorry I paste the wrong CVE identifier in subject, the CVE I want to check is CVE-2018-1327(S2-056,
Affected Software, Struts 2.1.1 - Struts 2.5.14.1).

Actually, my application don't even have Struts REST plugin jars in it's package. But seems
one of my big customer have very strict security policies: They found there's struts 2.3.x
in my application, and there's vulnerability in struts jars, so their security request operation
team to shutdown the application server before this get fixed.

So I want to check is there any plan on 2.3.x releases? 

Thanks.

On 2018/03/30 07:50:43, Lukasz Lenart <lukaszlenart@apache.org> wrote: 
> 2018-03-30 5:14 GMT+02:00 song6295@gmail.com <song6295@gmail.com>:
> > My team need to fix CVE-2018-7489 in few days and there's lots code changes if we
migrate to 2.5.x.
> > Where I can find the release schedule plans for struts2?
> 
> Not sure what do you mean by that? This vulnerability is only possible
> to happen when you are using @JsonTypeInfo on Object (which means you
> are using a very broad pattern) or if enabled "default typing" in
> Jackson. Please read this [1] article for a full story
> 
> [1] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> 
> 
> Regards
> -- 
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message