Win a copy of Grokking Bitcoin this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Frits Walraven
Bartenders:
  • Carey Brown
  • salvin francis
  • Claude Moore

Apache Struts 1  RSS feed

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Folks,

I hope someone one here help me find an answer. Basically I am researching struts_1 (not two) and want to find something from the Stuts team that acknowledges the
recognize the vulnerability CVE-2016-1182. I have completed some research and find such things as

https://www.securityfocus.com/bid/91067

https://issues.apache.org/jira/browse/STR-539?jql=project%20%3D%20STR%20AND%20text%20~%20%22security%22

https://www.fortinet.com/blog/threat-research/the-analysis-of-apache-struts-1-actionservlet-validator-bypass-cve-2016-1182.html

https://www.cvedetails.com/cve/CVE-2016-1182/er


But I need something where Sturts themselves accept this as vulnerability. I was on their site and it details security bulletins on on Struts 2 (I know Struts 1 is End of support) -

https://cwiki.apache.org/confluence/display/WW/Security+Bulletins

This is quiet important and I would really appreciate anyone can help me find something along these lines.

Thanks, any help is greatly appreciated.
-Liam
 
Saloon Keeper
Posts: 5401
143
Android Firefox Browser Mac OS X Safari Tomcat Server VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you expect them to acknowledge this? Struts 1 was EOL long before this, so why would they spend time on it, especially when external researchers have already done that? Obviously, it won't be fixed. Why do you "need something where the Struts folks accept it"? What difference does that make?

IMO, anyone who uses Struts 1 at this point should be charged with criminal negligence if something happens because of it.
 
Liam Shovelin
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim,

Thanks for the reply. I am doing some research on the struts_1 framework and more specifically CVE-2016-1182. I totally get what you are saying, but I am trying to form a paper-trail to the vulnerability (CVE-2016-1182) for my Masters research.

I just need link document where Apache recognize the issue. I believe it was never fixed..so just the acknowledgement, something more concrete that this >> https://www.securityfocus.com/bid/91067

If you are familiar and can help me, i would greatly appreciate it

-Liam
 
Saloon Keeper
Posts: 20643
122
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One of the things that "End of Life" means is that the creator/vendor no longer supports that version of the product. I'm pretty sure that Struts 1 was LONG past end-of-life before the date of the official filing listed at the site you mentioned. So very unlikely that it was ever repaired by Apache. Any ameliorations would have been done by secondary vendors such as IBM.

It says that the vulnerability was reported by the vendor, so if you want to research its discovery, you should go to apache.org and rummage through the Struts incident-tracking database. Click the "References" tab on the incident report page to get a list of hyperlinks relating to the filing and fixes. The very first one is the struts.apache.org link and there's a pull-down menu to access their issue data from there.
 
I think I'll just lie down here for a second. And ponder this tiny ad:
Create Edit Print & Convert PDF Using Free API with Java
https://coderanch.com/wiki/703735/Create-Convert-PDF-Free-Spire
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!