This week's book giveaway is in the Reactive Progamming forum.
We're giving away four copies of Reactive Streams in Java: Concurrency with RxJava, Reactor, and Akka Streams and have Adam Davis on-line!
See this thread for details.
Win a copy of Reactive Streams in Java: Concurrency with RxJava, Reactor, and Akka Streams this week in the Reactive Progamming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Ganesh Patekar

Apache Struts 1

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Folks,

I hope someone one here help me find an answer. Basically I am researching struts_1 (not two) and want to find something from the Stuts team that acknowledges the
recognize the vulnerability CVE-2016-1182. I have completed some research and find such things as

https://www.securityfocus.com/bid/91067

https://issues.apache.org/jira/browse/STR-539?jql=project%20%3D%20STR%20AND%20text%20~%20%22security%22

https://www.fortinet.com/blog/threat-research/the-analysis-of-apache-struts-1-actionservlet-validator-bypass-cve-2016-1182.html

https://www.cvedetails.com/cve/CVE-2016-1182/er


But I need something where Sturts themselves accept this as vulnerability. I was on their site and it details security bulletins on on Struts 2 (I know Struts 1 is End of support) -

https://cwiki.apache.org/confluence/display/WW/Security+Bulletins

This is quiet important and I would really appreciate anyone can help me find something along these lines.

Thanks, any help is greatly appreciated.
-Liam
 
Saloon Keeper
Posts: 5809
146
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you expect them to acknowledge this? Struts 1 was EOL long before this, so why would they spend time on it, especially when external researchers have already done that? Obviously, it won't be fixed. Why do you "need something where the Struts folks accept it"? What difference does that make?

IMO, anyone who uses Struts 1 at this point should be charged with criminal negligence if something happens because of it.
 
Liam Shovelin
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim,

Thanks for the reply. I am doing some research on the struts_1 framework and more specifically CVE-2016-1182. I totally get what you are saying, but I am trying to form a paper-trail to the vulnerability (CVE-2016-1182) for my Masters research.

I just need link document where Apache recognize the issue. I believe it was never fixed..so just the acknowledgement, something more concrete that this >> https://www.securityfocus.com/bid/91067

If you are familiar and can help me, i would greatly appreciate it

-Liam
 
Saloon Keeper
Posts: 21128
131
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One of the things that "End of Life" means is that the creator/vendor no longer supports that version of the product. I'm pretty sure that Struts 1 was LONG past end-of-life before the date of the official filing listed at the site you mentioned. So very unlikely that it was ever repaired by Apache. Any ameliorations would have been done by secondary vendors such as IBM.

It says that the vulnerability was reported by the vendor, so if you want to research its discovery, you should go to apache.org and rummage through the Struts incident-tracking database. Click the "References" tab on the incident report page to get a list of hyperlinks relating to the filing and fixes. The very first one is the struts.apache.org link and there's a pull-down menu to access their issue data from there.
 
Good heavens! What have you done! Here, try to fix it with this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!