Apache Struts Vulnerability - CVE-2017-9791

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Apache Struts Vulnerability - CVE-2017-9791

Chunduru, Krishnachaithanya

Hi All,

 

Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

We came to know that Apache which is having Apache Struts version 2.3.x with Struts 1 plugin and Struts 1 action is highly vulnerable . If exploited, this vulnerability would allow a remote code execution attack. 

 

Regards,

Krishna

 


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Apache Struts Vulnerability - CVE-2017-9791

Luca Toscano
Hi,

2017-07-21 18:35 GMT+02:00 Chunduru, Krishnachaithanya <[hidden email]>:

Hi All,

 

Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

We came to know that Apache which is having Apache Struts version 2.3.x with Struts 1 plugin and Struts 1 action is highly vulnerable . If exploited, this vulnerability would allow a remote code execution attack. 


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791 seems to be related to Apache Struts only (that is a JEE framework) with no connection with httpd, so probably it would be worth to follow up with the project's user email list in my opinion: https://struts.apache.org/mail.html

Luca 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Apache Struts Vulnerability - CVE-2017-9791

Chunduru, Krishnachaithanya

Thanks Luca. I will follow up with them.

 

Regards,

Krishna

 

From: Luca Toscano [mailto:[hidden email]]
Sent: Friday, July 21, 2017 10:25 PM
To: [hidden email]
Subject: Re: [users@httpd] Apache Struts Vulnerability - CVE-2017-9791

 

Hi,

 

2017-07-21 18:35 GMT+02:00 Chunduru, Krishnachaithanya <[hidden email]>:

Hi All,

 

Can someone please confirm if Apache 2.4.10 is vulnerable to the CVE-2017-9791.

We came to know that Apache which is having Apache Struts version 2.3.x with Struts 1 plugin and Struts 1 action is highly vulnerable . If exploited, this vulnerability would allow a remote code execution attack. 

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791 seems to be related to Apache Struts only (that is a JEE framework) with no connection with httpd, so probably it would be worth to follow up with the project's user email list in my opinion: https://struts.apache.org/mail.html

 

Luca 

 


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Apache Struts Vulnerability - CVE-2017-9791

jay Cheng
This post has NOT been accepted by the mailing list yet.
Hi Krishna and Luca, I'd like to know the results, too. I use Apache 2.4.25 for Bugzilla 5.0.3. I want to know the Apache Struts Vulnerability - CVE-2017-9791 for this version. Thanks. Jay
Loading...