Re: How to determine if a Windows server is running Apache Struts?
On Wed, Sep 6, 2017 at 7:56 PM, Ken McWilliams wrote: > Programs can also be "exploded" (not in any type of zip file) so be sure to > search all files in the normal filesystem as well. To test your script just > create a couple zip files with some nested folders where you have placed > some made up files either called "struts.xml" or "struts2-core-*.jar" to be > sure that your script is able to identify them. If they don't find those, > your script is unhappy! > > On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams > wrote: > > > Struts isn't a stand alone program but a framework, typically seen as > > project dependency which supports web development on the JVM. > > > > I don't know the answer to 1) [although I will at the end go though the > > process I would attempt to find such programs]. > > > > 2) No. Struts2 [which is different code base from struts v1, and does not > > share the same issues] is a Java Web Framework, it will run on any JEE > > compliant web server, and will run on embedded web servers such as Jetty. > > > > 3) No. And the program list will not determine if the program uses the > > struts framework. > > > > How I would attempt to determine the issue: > > > > Most programs will not have been obfuscated (which may make determining > > this much harder). > > Java applications are typically packaged as JAR, WAR, or EAR. These are > > all just zip files. I would automate the process to scan for all such > > files, open them recursively travel their internal folder structure and > > search for either struts.xml OR struts2-core-*.jar where "*" is a version > > number, and accumulate all such files and or paths to these files into a > > plain text document and then check them by hand [to determine the version > > of struts, and determine if it has the security exploit and/or is > > exploitable (if it is isn't accessible to the outside world generally it > > isn't a concern, of course this depends company size and the nature of > what > > is being secured)]. Some assumptions could be made about the internal > > project structure that could save a great deal of time but because of > build > > differences these shortcuts (assuming what folder libraries are stored > in) > > could cause you to miss something so it is probably best to just search > > everything. > > > > On Wed, Sep 6, 2017 at 4:56 PM, Sean Son com > > > wrote: > > > >> Hello all > >> > >> I am new to the mailing list as well as new to Apache Struts. We all > >> heard > >> in the news about the vulnerability affecting Apache Struts. I have been > >> tasked to determine which of our servers have Struts running on them. I > >> have a few questions on how to determine if a server is running Struts > or > >> not: > >> > >> 1) How does one determine if a Windows server, running IIS, has the > Apache > >> Struts framework installed on it? > >> > >> 2) Does Apache Struts only run on Apache Webserver and Tomcat? > >> > >> 3) Is there a simple way to determine if a server has Struts installed, > >> instead of logging into each of the servers and checking the programs > >> list? > >> > >> > >> I appreciate ALL help! > >> > >> > >> Thanks > >> > >> Sean > >> > > > > > > > > -- > > Sent from my C64 using a 300 baud modem > > > > > > -- > Sent from my C64 using a 300 baud modem > Thank you for your reply. Do you know what script should be used for Windows servers to check for Struts? I am not a Windows Admin, so any guidance will be greatly appreciated! Thanks
Re: How to determine if a Windows server is running Apache Struts?
Programs can also be "exploded" (not in any type of zip file) so be sure to search all files in the normal filesystem as well. To test your script just create a couple zip files with some nested folders where you have placed some made up files either called "struts.xml" or "struts2-core-*.jar" to be sure that your script is able to identify them. If they don't find those, your script is unhappy! On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams wrote: > Struts isn't a stand alone program but a framework, typically seen as > project dependency which supports web development on the JVM. > > I don't know the answer to 1) [although I will at the end go though the > process I would attempt to find such programs]. > > 2) No. Struts2 [which is different code base from struts v1, and does not > share the same issues] is a Java Web Framework, it will run on any JEE > compliant web server, and will run on embedded web servers such as Jetty. > > 3) No. And the program list will not determine if the program uses the > struts framework. > > How I would attempt to determine the issue: > > Most programs will not have been obfuscated (which may make determining > this much harder). > Java applications are typically packaged as JAR, WAR, or EAR. These are > all just zip files. I would automate the process to scan for all such > files, open them recursively travel their internal folder structure and > search for either struts.xml OR struts2-core-*.jar where "*" is a version > number, and accumulate all such files and or paths to these files into a > plain text document and then check them by hand [to determine the version > of struts, and determine if it has the security exploit and/or is > exploitable (if it is isn't accessible to the outside world generally it > isn't a concern, of course this depends company size and the nature of what > is being secured)]. Some assumptions could be made about the internal > project structure that could save a great deal of time but because of build > differences these shortcuts (assuming what folder libraries are stored in) > could cause you to miss something so it is probably best to just search > everything. > > On Wed, Sep 6, 2017 at 4:56 PM, Sean Son > wrote: > >> Hello all >> >> I am new to the mailing list as well as new to Apache Struts. We all >> heard >> in the news about the vulnerability affecting Apache Struts. I have been >> tasked to determine which of our servers have Struts running on them. I >> have a few questions on how to determine if a server is running Struts or >> not: >> >> 1) How does one determine if a Windows server, running IIS, has the Apache >> Struts framework installed on it? >> >> 2) Does Apache Struts only run on Apache Webserver and Tomcat? >> >> 3) Is there a simple way to determine if a server has Struts installed, >> instead of logging into each of the servers and checking the programs >> list? >> >> >> I appreciate ALL help! >> >> >> Thanks >> >> Sean >> > > > > -- > Sent from my C64 using a 300 baud modem > -- Sent from my C64 using a 300 baud modem
Re: How to determine if a Windows server is running Apache Struts?
Struts isn't a stand alone program but a framework, typically seen as project dependency which supports web development on the JVM. I don't know the answer to 1) [although I will at the end go though the process I would attempt to find such programs]. 2) No. Struts2 [which is different code base from struts v1, and does not share the same issues] is a Java Web Framework, it will run on any JEE compliant web server, and will run on embedded web servers such as Jetty. 3) No. And the program list will not determine if the program uses the struts framework. How I would attempt to determine the issue: Most programs will not have been obfuscated (which may make determining this much harder). Java applications are typically packaged as JAR, WAR, or EAR. These are all just zip files. I would automate the process to scan for all such files, open them recursively travel their internal folder structure and search for either struts.xml OR struts2-core-*.jar where "*" is a version number, and accumulate all such files and or paths to these files into a plain text document and then check them by hand [to determine the version of struts, and determine if it has the security exploit and/or is exploitable (if it is isn't accessible to the outside world generally it isn't a concern, of course this depends company size and the nature of what is being secured)]. Some assumptions could be made about the internal project structure that could save a great deal of time but because of build differences these shortcuts (assuming what folder libraries are stored in) could cause you to miss something so it is probably best to just search everything. On Wed, Sep 6, 2017 at 4:56 PM, Sean Son wrote: > Hello all > > I am new to the mailing list as well as new to Apache Struts. We all heard > in the news about the vulnerability affecting Apache Struts. I have been > tasked to determine which of our servers have Struts running on them. I > have a few questions on how to determine if a server is running Struts or > not: > > 1) How does one determine if a Windows server, running IIS, has the Apache > Struts framework installed on it? > > 2) Does Apache Struts only run on Apache Webserver and Tomcat? > > 3) Is there a simple way to determine if a server has Struts installed, > instead of logging into each of the servers and checking the programs list? > > > I appreciate ALL help! > > > Thanks > > Sean > -- Sent from my C64 using a 300 baud modem
How to determine if a Windows server is running Apache Struts?
Hello all I am new to the mailing list as well as new to Apache Struts. We all heard in the news about the vulnerability affecting Apache Struts. I have been tasked to determine which of our servers have Struts running on them. I have a few questions on how to determine if a server is running Struts or not: 1) How does one determine if a Windows server, running IIS, has the Apache Struts framework installed on it? 2) Does Apache Struts only run on Apache Webserver and Tomcat? 3) Is there a simple way to determine if a server has Struts installed, instead of logging into each of the servers and checking the programs list? I appreciate ALL help! Thanks Sean
Re: Struts 2.3 fix for s2-052?
2017-09-06 18:40 GMT+02:00 William Stranathan : > Any ETA? Under way to the Central and mirrors Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Any ETA? On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart wrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email where you gave the dist URL for the dev > release. > > > > This is the release that I should use for 2.3 right? > > > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ > > Yes, it should be officially released and announced soon > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
Incidentally, the wiki points out that 2.3 is vulnerable, but http://struts.apache.org/docs/s2-052.html still only states 2.5. On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart wrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email where you gave the dist URL for the dev > release. > > > > This is the release that I should use for 2.3 right? > > > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ > > Yes, it should be officially released and announced soon > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 16:12 GMT+02:00 Emi : > Hello, >> >> I finally read your email where you gave the dist URL for the dev release. > > This is the release that I should use for 2.3 right? > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Yes, it should be officially released and announced soon Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Hello, I finally read your email where you gave the dist URL for the dev release. This is the release that I should use for 2.3 right? https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Thanks. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against that as well, and that also gave the exception around class permissions (the exception it should throw when deserialization attempts to instantiate a non-allowed class). On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart wrote: 2017-09-06 12:37 GMT+02:00 Lukasz Lenart : Here is the full info http://markmail.org/message/5xuhb2vwc7iagjjr William, how does your test pass? Regards -- Łukasz + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Thanks a lot! 2017-09-06 15:56 GMT+02:00 William Stranathan : > I finally read your email where you gave the dist URL for the dev release. > I tested against the struts2-rest-showcase app, a URL that was vulnerable > in other versions. > > I also manually built just struts2-core, rest-plugin, config-browser, and > rest-showcase apps, and attempted the exploit against that as well, and > that also gave the exception around class permissions (the exception it > should throw when deserialization attempts to instantiate a non-allowed > class). > > On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart > wrote: > >> 2017-09-06 12:37 GMT+02:00 Lukasz Lenart : >> > Here is the full info >> > http://markmail.org/message/5xuhb2vwc7iagjjr >> >> William, how does your test pass? >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
I finally read your email where you gave the dist URL for the dev release. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against that as well, and that also gave the exception around class permissions (the exception it should throw when deserialization attempts to instantiate a non-allowed class). On Wed, Sep 6, 2017 at 9:42 AM Lukasz Lenart wrote: > 2017-09-06 12:37 GMT+02:00 Lukasz Lenart : > > Here is the full info > > http://markmail.org/message/5xuhb2vwc7iagjjr > > William, how does your test pass? > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 12:37 GMT+02:00 Lukasz Lenart : > Here is the full info > http://markmail.org/message/5xuhb2vwc7iagjjr William, how does your test pass? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Ah.. right, I forgot about that 2017-09-06 13:11 GMT+02:00 William Stranathan : > And yes, it looks like the Jenkins builds have been failing for quite some > time: > https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console > (that > error message is not too dissimilar from the one I get with JDK 7 in the > same module). > > On Wed, Sep 6, 2017 at 7:04 AM William Stranathan > wrote: > >> Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the >> 2.3.34 snapshot of the rest-plugin dated August 12. >> >> I just did a build of only the bits needed to get the rest-showcase >> running (so mvn install, when that fails, mvn install -f >> plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with >> the correct permission message. >> >> On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart >> wrote: >> >>> 2017-09-06 12:31 GMT+02:00 William Stranathan : >>> > Odd - when I tested the snapshots, they were still vulnerable. I'm not >>> able >>> > to get it to build from source (now some odd javac access exception). >>> >>> Strange, do you have a date of the snapshot? Maybe Jenkins stopped >>> publishing them. >>> >>> > Where do I get the bits for testing 2.3.34, if not the snapshots? >>> >>> Here is the full info >>> http://markmail.org/message/5xuhb2vwc7iagjjr >>> >>> >>> Thanks & regards >>> -- >>> Łukasz >>> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >>> >>> - >>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >>> For additional commands, e-mail: user-h...@struts.apache.org >>> >>> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
2017-09-06 13:04 GMT+02:00 William Stranathan : > Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the > 2.3.34 snapshot of the rest-plugin dated August 12. > > I just did a build of only the bits needed to get the rest-showcase running > (so mvn install, when that fails, mvn install -f > plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with > the correct permission message. Looks like something is broken with publishing the latest SNAPSHOTS This contains only month old builds https://repository.apache.org/content/groups/snapshots/org/apache/struts/struts2-rest-plugin/2.3.34-SNAPSHOT/ Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
And yes, it looks like the Jenkins builds have been failing for quite some time: https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console (that error message is not too dissimilar from the one I get with JDK 7 in the same module). On Wed, Sep 6, 2017 at 7:04 AM William Stranathan wrote: > Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the > 2.3.34 snapshot of the rest-plugin dated August 12. > > I just did a build of only the bits needed to get the rest-showcase > running (so mvn install, when that fails, mvn install -f > plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with > the correct permission message. > > On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart > wrote: > >> 2017-09-06 12:31 GMT+02:00 William Stranathan : >> > Odd - when I tested the snapshots, they were still vulnerable. I'm not >> able >> > to get it to build from source (now some odd javac access exception). >> >> Strange, do you have a date of the snapshot? Maybe Jenkins stopped >> publishing them. >> >> > Where do I get the bits for testing 2.3.34, if not the snapshots? >> >> Here is the full info >> http://markmail.org/message/5xuhb2vwc7iagjjr >> >> >> Thanks & regards >> -- >> Łukasz >> + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >>
Re: Struts 2.3 fix for s2-052?
Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the 2.3.34 snapshot of the rest-plugin dated August 12. I just did a build of only the bits needed to get the rest-showcase running (so mvn install, when that fails, mvn install -f plugins/rest-plugin/pom.xml, then app/rest-showcase), and that fails with the correct permission message. On Wed, Sep 6, 2017 at 6:38 AM Lukasz Lenart wrote: > 2017-09-06 12:31 GMT+02:00 William Stranathan : > > Odd - when I tested the snapshots, they were still vulnerable. I'm not > able > > to get it to build from source (now some odd javac access exception). > > Strange, do you have a date of the snapshot? Maybe Jenkins stopped > publishing them. > > > Where do I get the bits for testing 2.3.34, if not the snapshots? > > Here is the full info > http://markmail.org/message/5xuhb2vwc7iagjjr > > > Thanks & regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts 2.3 fix for s2-052?
2017-09-06 12:31 GMT+02:00 William Stranathan : > Odd - when I tested the snapshots, they were still vulnerable. I'm not able > to get it to build from source (now some odd javac access exception). Strange, do you have a date of the snapshot? Maybe Jenkins stopped publishing them. > Where do I get the bits for testing 2.3.34, if not the snapshots? Here is the full info http://markmail.org/message/5xuhb2vwc7iagjjr Thanks & regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3 fix for s2-052?
Odd - when I tested the snapshots, they were still vulnerable. I'm not able to get it to build from source (now some odd javac access exception). Where do I get the bits for testing 2.3.34, if not the snapshots? On Wed, Sep 6, 2017 at 1:36 AM Lukasz Lenart wrote: > 2017-09-06 6:22 GMT+02:00 William Stranathan : > > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > > patch available yet. I've tried with the latest snapshots, and those are > > also vulnerable. > > > > Is there a fix for this vulnerability on the 2.3 stream forthcoming? > > I have called for a vote just now, 2.3.34 contains all the backports > from 2.5.13 related to the security vulnerabilities. Please test and > report back. > > > Regards > -- > Łukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Clicking helloworld link got java.lang.NoSuchMethodError: org.apache.commons.lang3.reflect.MethodUtils.getAnnotation
> > I tried > export > CLASSPATH=$JAVA_HOME/lib:$HOME/Struts2/struts-2.5.12/lib: > $CATALINA_HOME/lib:$CLASSPATH:. > > but the helloworld link in index.jsp still did not see the > /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3-3.6.jar. > > > my_tomcat.log did not have this line any more > [Loaded org.apache.commons.lang3.reflect.MethodUtils from > file:/home/alkao/tomee/apache-tomee-plus-7.0.3/lib/commons-lang3-3.5.jar] > > > It had lines such as: > [Loaded org.apache.commons.lang3.text.StrLookup from > file:/home/alkao/tomee/apache-tomee-plus-7.0.3/lib/commons-lang3-3.5.jar] > [Loaded org.apache.commons.lang3.CharSequenceUtils from > file:/home/alkao/tomee/apache-tomee-plus-7.0.3/lib/commons-lang3-3.5.jar] > ... > Hi, this still indicates that an old version of commons-lang3 is loaded from tomee dir. Another, but hacky, solution would be to remove that file from tomee and place commons-lang3-3.6.jar in tommees lib folder. Regards, Christoph > > On Mon, Sep 4, 2017 at 1:30 PM, Yasser Zamani > wrote: > > > >> Although I had done the following: > > >> export > > >> CLASSPATH=$CLASSPATH:$JAVA_HOME/lib:$HOME/Struts2/struts- > > 2.5.12/lib:$CATALINA_HOME/lib:. > > > > If you would like to solve it like above, I think you may try below > > instead ($CLASSPATH at end): > > > > export > > CLASSPATH=$JAVA_HOME/lib:$HOME/Struts2/struts-2.5.12/ > > lib:$CATALINA_HOME/lib:.:$CLASSPATH > > > > On 9/4/2017 5:24 PM, albert kao wrote: > > > As per your instruction, modify catalina.sh: > > > JAVA_OPTS="$JAVA_OPTS > > > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources > > > -XX:+TraceClassLoading -XX:+TraceClassUnloading" > > > > > > $ catalina.sh run > my_tomcat.log 2>&1 > > > > > > my_tomcat.log: > > > [Loaded org.apache.commons.lang3.reflect.MethodUtils from > > > file:/home/alkao/tomee/apache-tomee-plus-7.0.3/lib/commons- > > lang3-3.5.jar] > > > > > > Although I had done the following: > > > export > > > CLASSPATH=$CLASSPATH:$JAVA_HOME/lib:$HOME/Struts2/struts- > > 2.5.12/lib:$CATALINA_HOME/lib:. > > > > > > $ ls /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3* > > > /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3-3.6.jar > > > > > > Therefore the helloworld link in index.jsp did not see the > > > /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3-3.6.jar. > > > > > > > > > On Sat, Sep 2, 2017 at 2:46 PM, Yasser Zamani > > > wrote: > > > > > >> I did as you said and did not get any exception! > > >> > > >> Could you please add following line to catalina.bat: > > >> > > >> set "JAVA_OPTS=-XX:+TraceClassLoading -XX:+TraceClassUnloading" > > >> > > >> then: > > >> > > >> catalina.bat run > my_tomcat.log 2>&1 > > >> > > >> then finally search my_tomcat.log for MethodUtils? > > >> > > >> I would like to see from where your tomcat load MethodUtils class! > > >> > > >> > > >> On 9/2/2017 7:06 PM, albert kao wrote: > > >>> My hello-world.war has the commons lang3 3.6: > > >>> hello-world/WEB-INF/lib > > >>> hello-world/WEB-INF/lib/commons-fileupload-1.3.3.jar > > >>> hello-world/WEB-INF/lib/ognl-3.1.12.jar > > >>> hello-world/WEB-INF/lib/struts2-core-2.5.12.jar > > >>> hello-world/WEB-INF/lib/freemarker-2.3.23.jar > > >>> hello-world/WEB-INF/lib/log4j-core-2.8.2.jar > > >>> hello-world/WEB-INF/lib/log4j-api-2.8.2.jar > > >>> hello-world/WEB-INF/lib/commons-io-2.4.jar > > >>> hello-world/WEB-INF/lib/javassist-3.20.0-GA.jar > > >>> hello-world/WEB-INF/lib/commons-lang3-3.6.jar > > >>> > > >>> However, the helloworld link in index.jsp did not see it. > > >>> > > >>> > > >>> On Sat, Aug 26, 2017 at 7:43 PM, Yasser Zamani > > > > >>> wrote: > > >>> > > I checked it's codes and seems ok. It has a dependency to struts > > 2.5.12 > > which has (not optional) dependency to commons lang3 3.6. So you > > should > > have commons lang3 3.6 in your war lib. Do you? Or maybe you have > > lower > > version of commons lang3 jar in your tomcat lib? Please check both. > > > > albert kao نوشت: > > > > > I downloaded struts-examples-master.zip from > > > https://github.com/apache/struts-examples. > > > Unzip it and run mvn. > > > > > > # mvn -version > > > Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; > > > 2015-11-10T11:41:47-05:00) > > > Maven home: /home/alkao/maven/apache-maven-3.3.9 > > > Java version: 1.8.0_131, vendor: Oracle Corporation > > > Java home: /home/alkao/jdk/jdk1.8.0_131/jre > > > Default locale: en_CA, platform encoding: UTF-8 > > > OS name: "linux", version: "4.4.0-21-generic", arch: "i386", family: > > "unix" > > > > > > > > > $ mvn -e clean package > > > [INFO] Error stacktraces are turned on. > > > [INFO] Scanning for projects... > > > [WARNING] > > > [WARNING] Some problems were encountered while building the effective > > model > > > for org.apache.struts:annotations:war:1.0.0 > > > [WARNING] The expression ${artifactId} i