Hi Lukasz, Thanks for the prompt response.
I was referring to Apache version we have i.e., 2.4.10. I'm not sure how to check the struts version we are having. As you mentioned 2.5.x series is not affected where and how to check this version on server, I tried googling these issues but it was of very little help. I was also trying to check for the other vulnerabilities that are present in 1.1 version. Once again thanks for the help. Regards, Krishna -----Original Message----- From: Lukasz Lenart [mailto:lukaszlen...@apache.org] Sent: Monday, July 24, 2017 12:53 PM To: Struts Users Mailing List Subject: Re: Apache Struts Vulnerability - CVE-2017-9791 2017-07-23 14:20 GMT+02:00 Chunduru, Krishnachaithanya <krishnachaithanya.chund...@broadridge.com>: > Can someone please confirm if Apache 2.4.10 is vulnerable to the > CVE-2017-9791. I assume you meant 2.5.10 as there is no such version as 2.4.10. And as stated in the description 2.5.x series isn't affected as it doesn't ship with the Struts 1 plugin, only Struts 2.3.x can be affected http://struts.apache.org/docs/s2-048.html > I tired checking in the MANIFEST.MF file, where is the implementation version > shows v.1.1. how to resolve this issue, can we upgrade the struts? Thank you. Looks like you are running the previous version of Struts, version 1.1 which isn't affected by the vulnerability (but there are other vulnerabilities which affect this version). Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
