subject:"CVE\-2023\-49735 in Apache Tiles"

Re: CVE-2023-49735 in Apache Tiles

2024-01-10 Thread Lukasz Lenart

One correction: I missed the word "onwards" which means Tiles 3 is also
affected, yet I assume the report itself is invalid.

Re: CVE-2023-49735 in Apache Tiles

2024-01-10 Thread Sebastian Götz


This is a good idea. I will post to the security group.

Am 10.01.2024 um 12:22 schrieb Lukasz Lenart:

Hi Sebastian,

To be honest I have no idea why this triggers any alert. The 
vulnerability targets Tiles 2.0 [1] while Struts (even before merging 
the codebase) is using Tiles 3 which shouldn't be affected. This could 
be an issue of false positive alert in OWASP. Also the vulnerability 
report looks suspicious as it mentions of manipulating the session 
attribute DefaultLocaleResolver.LOCALE_KEY by a user - based on the 
tiles-test example [2] I can say it's a developer fault not a library 
vulnerability, report is invalid IMO.


We can move this discussion to security@struts.a.o to get support from 
ASF Security gurus.


[1] https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p
[2] 
https://github.com/apache/tiles/blob/TILES_2_1_X/tiles-test/src/main/java/org/apache/tiles/test/servlet/SelectLocaleServlet.java#L81-L102



Cheers
Łukasz

śr., 10 sty 2024 o 11:08 Sebastian Götz  
napisał(a):


Hi Lukasz,

happy new year to you and everyone as well!

Unfortunately I had some trouble with the mailing list and thus
did not receive your reply. I have found it browsing the group by
browser and so I post your reply here for reference:

Happy New Year!

The Tiles codebase has been copied into the Struts Tiles plugin
[1] and it's a part of the Struts 6.3.0 right now. Migrating to
this version should solve the problem. And we (Struts) are going
to maintain the Tiles codebase under the plugin, so no worries :)
[1] https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz

I am very glad to hear that we do not have to move away from Tiles
as it is a core of our product. We are running the OWASP
dependency checker during the build. As we are on Struts 6.3.0.2
already, which shoul dbe the most recent version, I am not quite
clear what to do now as the checker still marks
struts-tiles-plugin.jar as vulnerable:

Dependency-Check Failure: One or more dependencies were identified
with vulnerabilities that have a CVSS score greater than or equal
to '7,0': struts2-tiles-plugin.jar: CVE-2023-49735

So my question is: can we treat this as a false positive or is the
vulnerability still there and we need to wait for fix version?

Kind regards

Sebastian


Am 02.01.2024 um 09:57 schrieb Sebastian Götz:

Hello to anybody and an happy new year!

Our dependency check startet to fail last year already marking
struts2-tiles-plugin as the source of a security issue. As the
plugin uses Apache Tiles 3.0.8 underneath it is affected by
CVE-2023-49735.
Now as we use the struts-tiles-plugin to build our web pages and
the Tiles project is already retired, can somebody of the team
explain how to mitigate the security issue (besides moving away
from Tiles completely)?

Kind regards

Sebastian




-- 


Mit freundlichen Grüßen
iNFORM Technology GmbH

Sebastian Götz

*

iNFORM Technology GmbH
Berliner Straße 24
72458 Albstadt-Ebingen

Tel: +49 7431 9816090
s.go...@inform-technology.de
http://www.inform-technology.de/

*



Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712,
Amtsgericht Stuttgart | USt-ID Nr.: DE312290945

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.

This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorised copying,
disclosure or distribution of the material in this e-mail is
strictly forbidden.



--

Mit freundlichen Grüßen
iNFORM Technology GmbH

Sebastian Götz

*

iNFORM Technology GmbH
Berliner Straße 24
72458 Albstadt-Ebingen

Tel: +49 7431 9816090
s.go...@inform-technology.de
http://www.inform-technology.de/

*



Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712, 
Amtsgericht Stuttgart | USt-ID Nr.: DE312290945


Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese 
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den 
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie 
die

Re: CVE-2023-49735 in Apache Tiles

2024-01-10 Thread Lukasz Lenart

Hi Sebastian,

To be honest I have no idea why this triggers any alert. The
vulnerability targets Tiles 2.0 [1] while Struts (even before merging the
codebase) is using Tiles 3 which shouldn't be affected. This could be an
issue of false positive alert in OWASP. Also the vulnerability report looks
suspicious as it mentions of manipulating the session
attribute DefaultLocaleResolver.LOCALE_KEY by a user - based on the
tiles-test example [2] I can say it's a developer fault not a library
vulnerability, report is invalid IMO.

We can move this discussion to security@struts.a.o to get support from ASF
Security gurus.

[1] https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p
[2]
https://github.com/apache/tiles/blob/TILES_2_1_X/tiles-test/src/main/java/org/apache/tiles/test/servlet/SelectLocaleServlet.java#L81-L102


Cheers
Łukasz

śr., 10 sty 2024 o 11:08 Sebastian Götz 
napisał(a):

> Hi Lukasz,
>
> happy new year to you and everyone as well!
>
> Unfortunately I had some trouble with the mailing list and thus did not
> receive your reply. I have found it browsing the group by browser and so I
> post your reply here for reference:
>
> Happy New Year!
> The Tiles codebase has been copied into the Struts Tiles plugin [1] and
> it's a part of the Struts 6.3.0 right now. Migrating to this version should
> solve the problem. And we (Struts) are going to maintain the Tiles codebase
> under the plugin, so no worries :) [1]
> https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz
>
> I am very glad to hear that we do not have to move away from Tiles as it
> is a core of our product. We are running the OWASP dependency checker
> during the build. As we are on Struts 6.3.0.2 already, which shoul dbe the
> most recent version, I am not quite clear what to do now as the checker
> still marks struts-tiles-plugin.jar as vulnerable:
>
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '7,0':
> struts2-tiles-plugin.jar: CVE-2023-49735
>
> So my question is: can we treat this as a false positive or is the
> vulnerability still there and we need to wait for fix version?
>
> Kind regards
>
> Sebastian
>
>
> Am 02.01.2024 um 09:57 schrieb Sebastian Götz:
>
> Hello to anybody and an happy new year!
>
> Our dependency check startet to fail last year already marking
> struts2-tiles-plugin as the source of a security issue. As the plugin uses
> Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735.
> Now as we use the struts-tiles-plugin to build our web pages and the Tiles
> project is already retired, can somebody of the team explain how to
> mitigate the security issue (besides moving away from Tiles completely)?
>
> Kind regards
>
> Sebastian
>
>
>
>
> --
>
> Mit freundlichen Grüßen
> iNFORM Technology GmbH
>
> Sebastian Götz
>
> *
>
> iNFORM Technology GmbH
> Berliner Straße 24
> 72458 Albstadt-Ebingen
>
> Tel: +49 7431 9816090
> s.go...@inform-technology.de
> http://www.inform-technology.de/
>
> *
>
> 
>
> Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712,
> Amtsgericht Stuttgart | USt-ID Nr.: DE312290945
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail ist nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorised copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>

Re: CVE-2023-49735 in Apache Tiles

2024-01-10 Thread Sebastian Götz


Hi Lukasz,

happy new year to you and everyone as well!

Unfortunately I had some trouble with the mailing list and thus did not 
receive your reply. I have found it browsing the group by browser and so 
I post your reply here for reference:


Happy New Year!

The Tiles codebase has been copied into the Struts Tiles plugin [1] and 
it's a part of the Struts 6.3.0 right now. Migrating to this version 
should solve the problem. And we (Struts) are going to maintain the 
Tiles codebase under the plugin, so no worries :) [1] 
https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz


I am very glad to hear that we do not have to move away from Tiles as it 
is a core of our product. We are running the OWASP dependency checker 
during the build. As we are on Struts 6.3.0.2 already, which shoul dbe 
the most recent version, I am not quite clear what to do now as the 
checker still marks struts-tiles-plugin.jar as vulnerable:


Dependency-Check Failure: One or more dependencies were identified with 
vulnerabilities that have a CVSS score greater than or equal to '7,0': 
struts2-tiles-plugin.jar: CVE-2023-49735


So my question is: can we treat this as a false positive or is the 
vulnerability still there and we need to wait for fix version?


Kind regards

Sebastian


Am 02.01.2024 um 09:57 schrieb Sebastian Götz:

Hello to anybody and an happy new year!

Our dependency check startet to fail last year already marking 
struts2-tiles-plugin as the source of a security issue. As the plugin 
uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735.
Now as we use the struts-tiles-plugin to build our web pages and the 
Tiles project is already retired, can somebody of the team explain how 
to mitigate the security issue (besides moving away from Tiles 
completely)?


Kind regards

Sebastian





--

Mit freundlichen Grüßen
iNFORM Technology GmbH

Sebastian Götz

*

iNFORM Technology GmbH
Berliner Straße 24
72458 Albstadt-Ebingen

Tel: +49 7431 9816090
s.go...@inform-technology.de
http://www.inform-technology.de/

*



Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712, 
Amtsgericht Stuttgart | USt-ID Nr.: DE312290945


Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese 
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den 
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie 
die unbefugte Weitergabe dieser Mail ist nicht gestattet.


This e-mail may contain confidential and/or privileged information. If 
you are not the intended recipient (or have received this e-mail in 
error) please notify the sender immediately and destroy this e-mail. Any 
unauthorised copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

Re: CVE-2023-49735 in Apache Tiles

2024-01-02 Thread Lukasz Lenart

wt., 2 sty 2024 o 13:34 Sebastian Götz 
napisał(a):
> Hello to anybody and an happy new year!

Happy New Year!

> Our dependency check startet to fail last year already marking
> struts2-tiles-plugin as the source of a security issue. As the plugin
> uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735.
> Now as we use the struts-tiles-plugin to build our web pages and the
> Tiles project is already retired, can somebody of the team explain how
> to mitigate the security issue (besides moving away from Tiles completely)?

The Tiles codebase has been copied into the Struts Tiles plugin [1]
and it's a part of the Struts 6.3.0 right now. Migrating to this
version should solve the problem. And we (Struts) are going to
maintain the Tiles codebase under the plugin, so no worries :)

[1] https://issues.apache.org/jira/browse/WW-5233


Cheers
Łukasz

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

CVE-2023-49735 in Apache Tiles

2024-01-02 Thread Sebastian Götz


Hello to anybody and an happy new year!

Our dependency check startet to fail last year already marking 
struts2-tiles-plugin as the source of a security issue. As the plugin 
uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735.
Now as we use the struts-tiles-plugin to build our web pages and the 
Tiles project is already retired, can somebody of the team explain how 
to mitigate the security issue (besides moving away from Tiles completely)?


Kind regards

Sebastian





-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: CVE-2023-49735 in Apache Tiles

Re: CVE-2023-49735 in Apache Tiles

Re: CVE-2023-49735 in Apache Tiles

Re: CVE-2023-49735 in Apache Tiles

Re: CVE-2023-49735 in Apache Tiles

CVE-2023-49735 in Apache Tiles

6 matches

Site Navigation

Mail list logo

Footer information