This is a good idea. I will post to the security group.
Am 10.01.2024 um 12:22 schrieb Lukasz Lenart:
Hi Sebastian,
To be honest I have no idea why this triggers any alert. The
vulnerability targets Tiles 2.0 [1] while Struts (even before merging
the codebase) is using Tiles 3 which shouldn't be affected. This could
be an issue of false positive alert in OWASP. Also the vulnerability
report looks suspicious as it mentions of manipulating the session
attribute DefaultLocaleResolver.LOCALE_KEY by a user - based on the
tiles-test example [2] I can say it's a developer fault not a library
vulnerability, report is invalid IMO.
We can move this discussion to security@struts.a.o to get support from
ASF Security gurus.
[1] https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p
[2]
https://github.com/apache/tiles/blob/TILES_2_1_X/tiles-test/src/main/java/org/apache/tiles/test/servlet/SelectLocaleServlet.java#L81-L102
Cheers
Łukasz
śr., 10 sty 2024 o 11:08 Sebastian Götz <s.go...@inform-technology.de>
napisał(a):
Hi Lukasz,
happy new year to you and everyone as well!
Unfortunately I had some trouble with the mailing list and thus
did not receive your reply. I have found it browsing the group by
browser and so I post your reply here for reference:
Happy New Year!
The Tiles codebase has been copied into the Struts Tiles plugin
[1] and it's a part of the Struts 6.3.0 right now. Migrating to
this version should solve the problem. And we (Struts) are going
to maintain the Tiles codebase under the plugin, so no worries :)
[1] https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz
I am very glad to hear that we do not have to move away from Tiles
as it is a core of our product. We are running the OWASP
dependency checker during the build. As we are on Struts 6.3.0.2
already, which shoul dbe the most recent version, I am not quite
clear what to do now as the checker still marks
struts-tiles-plugin.jar as vulnerable:
Dependency-Check Failure: One or more dependencies were identified
with vulnerabilities that have a CVSS score greater than or equal
to '7,0': struts2-tiles-plugin.jar: CVE-2023-49735
So my question is: can we treat this as a false positive or is the
vulnerability still there and we need to wait for fix version?
Kind regards
Sebastian
Am 02.01.2024 um 09:57 schrieb Sebastian Götz:
Hello to anybody and an happy new year!
Our dependency check startet to fail last year already marking
struts2-tiles-plugin as the source of a security issue. As the
plugin uses Apache Tiles 3.0.8 underneath it is affected by
CVE-2023-49735.
Now as we use the struts-tiles-plugin to build our web pages and
the Tiles project is already retired, can somebody of the team
explain how to mitigate the security issue (besides moving away
from Tiles completely)?
Kind regards
Sebastian
--
Mit freundlichen Grüßen
iNFORM Technology GmbH
Sebastian Götz
*****************************************************
iNFORM Technology GmbH
Berliner Straße 24
72458 Albstadt-Ebingen
Tel: +49 7431 9816090
s.go...@inform-technology.de
http://www.inform-technology.de/
*****************************************************
<https://www.facebook.com/informTechnologyGmbH/>
Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712,
Amtsgericht Stuttgart | USt-ID Nr.: DE312290945
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.
This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorised copying,
disclosure or distribution of the material in this e-mail is
strictly forbidden.
--
Mit freundlichen Grüßen
iNFORM Technology GmbH
Sebastian Götz
*****************************************************
iNFORM Technology GmbH
Berliner Straße 24
72458 Albstadt-Ebingen
Tel: +49 7431 9816090
s.go...@inform-technology.de
http://www.inform-technology.de/
*****************************************************
<https://www.facebook.com/informTechnologyGmbH/>
Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712,
Amtsgericht Stuttgart | USt-ID Nr.: DE312290945
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.