Re: Java security issue vs. struts?
Thank you Chris. Moreover, if I call jfreechart to generate reports through
web applications, it will not be affected, I believe?
As long as you do not use Applets to output JFreechart data you should
be fine (saying: if you generate images with JFreechart)
(1) My jsp:
img src=jfreechart_reportProcessReport.action
(2) struts.xml
action name=jfreechart_reportProcessReport method=jfreechart_report
class=ProcessReport
result name=success type=chart
param name=chartchart/param
param name=width1000/param
param name=height500/param
/result
/action
(3) My struts java action class (server side):
do:
ChartFactory.createBarChart3D(){... ...}
As a result, due to (1) ~(3) I am safe I believe.
Thanks a lot for all your comments!
Emi
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
Hello Martin,
I did not find bug report under struts JIRA related to jfreechart.
More details about how I use jfreechart:
(1) jsp img src=.action
(2) JAVA Action class, generated jsp
(3) struts.xml specify img size
Hope this info will help others have the same concern :-)
Bon week-end!
Emi
On 01/16/2013 05:39 PM, Martin Gainty wrote:
Hi Chris This issue came up on another apache users list I believe there was
open access issue to Remote Context Object by OGNL
(but i think Lukasz or Dave addressed the issue)..emi..did you see this in
Struts Jira? Bon chance,
Martin
__
Note de déni et de confidentialitéCe message est confidentiel et peut être
privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec
bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non
autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant
donné que les email peuvent facilement être sujets à la manipulation, nous ne
pouvons accepter aucune responsabilité pour le contenu fourni.
Original Message
Subject: Re: Java security issue vs. struts?
Date: Fri, 18 Jan 2013 12:00:31 -0500
From: Emi Lu em...@encs.concordia.ca
Reply-To: em...@encs.concordia.ca
To: Christian Grobmeier grobme...@gmail.com
CC: Struts Users Mailing List user@struts.apache.org, Chris Pratt
thechrispr...@gmail.com
Thank you Chris. Moreover, if I call jfreechart to generate reports through
web applications, it will not be affected, I believe?
As long as you do not use Applets to output JFreechart data you should
be fine (saying: if you generate images with JFreechart)
(1) My jsp:
img src=jfreechart_reportProcessReport.action
(2) struts.xml
action name=jfreechart_reportProcessReport method=jfreechart_report
class=ProcessReport
result name=success type=chart
param name=chartchart/param
param name=width1000/param
param name=height500/param
/result
/action
(3) My struts java action class (server side):
do:
ChartFactory.createBarChart3D(){... ...}
As a result, due to (1) ~(3) I am safe I believe.
Thanks a lot for all your comments!
Emi
mailto:user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
mailto:user-h...@struts.apache.org
--
Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
em...@encs.concordia.ca+1 514 848-2424 x5884
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
--
Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
em...@encs.concordia.ca+1 514 848-2424 x5884
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
RE: Java security issue vs. struts?
1)The open access created via OGNL expression request to Context is a minor
breach..contact Dave or Lukasz for solution
(at least one of them will plug the hole)
2)If you're a security guy (or gal) start subscribing to CVE bulletins
Oracle *usually* addresses these issues right away and you can read about the
latest vulnerability and ways to mitigate the breach
at
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Bon Chance,Martin Date: Fri, 18 Jan 2013 12:21:28 -0500
From: em...@encs.concordia.ca
To: user@struts.apache.org
CC: mgai...@hotmail.com; thechrispr...@gmail.com
Subject: Re: Java security issue vs. struts?
Hello Martin,
I did not find bug report under struts JIRA related to jfreechart.
More details about how I use jfreechart:
(1) jsp img src=.action
(2) JAVA Action class, generated jsp
(3) struts.xml specify img size
Hope this info will help others have the same concern :-)
Bon week-end!
Emi
On 01/16/2013 05:39 PM, Martin Gainty wrote:
Hi Chris This issue came up on another apache users list I believe there
was open access issue to Remote Context Object by OGNL
(but i think Lukasz or Dave addressed the issue)..emi..did you see this in
Struts Jira? Bon chance,
Martin
__
Note de déni et de confidentialitéCe message est confidentiel et peut être
privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons
avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle
diffusion non autorisée ou la copie de ceci est interdite. Ce message sert
à l'information seulement et n'aura pas n'importe quel effet légalement
obligatoire. Étant donné que les email peuvent facilement être sujets à la
manipulation, nous ne pouvons accepter aucune responsabilité pour le
contenu fourni.
Original Message
Subject: Re: Java security issue vs. struts?
Date: Fri, 18 Jan 2013 12:00:31 -0500
From: Emi Lu em...@encs.concordia.ca
Reply-To: em...@encs.concordia.ca
To: Christian Grobmeier grobme...@gmail.com
CC: Struts Users Mailing List user@struts.apache.org, Chris Pratt
thechrispr...@gmail.com
Thank you Chris. Moreover, if I call jfreechart to generate reports through
web applications, it will not be affected, I believe?
As long as you do not use Applets to output JFreechart data you should
be fine (saying: if you generate images with JFreechart)
(1) My jsp:
img src=jfreechart_reportProcessReport.action
(2) struts.xml
action name=jfreechart_reportProcessReport method=jfreechart_report
class=ProcessReport
result name=success type=chart
param name=chartchart/param
param name=width1000/param
param name=height500/param
/result
/action
(3) My struts java action class (server side):
do:
ChartFactory.createBarChart3D(){... ...}
As a result, due to (1) ~(3) I am safe I believe.
Thanks a lot for all your comments!
Emi
mailto:user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
mailto:user-h...@struts.apache.org
--
Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
em...@encs.concordia.ca+1 514 848-2424 x5884
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
--
Emi Lu, ENCS, Concordia University, Montreal H3G 1M8
em...@encs.concordia.ca+1 514 848-2424 x5884
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
Java security issue vs. struts?
Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/**technetwork/topics/security/** alert-cve-2013-0422-1896849.**htmlhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --**--**- To unsubscribe, e-mail: user-unsubscribe@struts.**apache.orguser-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
On 01/16/2013 04:54 PM, Emi Lu wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html One more link: http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/ For example, would struts2-jfreechart considered as java-app run through web browser? Emi - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
On 01/16/2013 05:02 PM, Chris Pratt wrote: I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? Emi On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca mailto:em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --__--__- To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Java security issue vs. struts?
Hi Chris This issue came up on another apache users list I believe there was open access issue to Remote Context Object by OGNL (but i think Lukasz or Dave addressed the issue)..emi..did you see this in Struts Jira? Bon chance, Martin __ Note de déni et de confidentialitéCe message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Wed, 16 Jan 2013 17:12:13 -0500 From: em...@encs.concordia.ca To: thechrispr...@gmail.com CC: user@struts.apache.org Subject: Re: Java security issue vs. struts? On 01/16/2013 05:02 PM, Chris Pratt wrote: I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? Emi On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca mailto:em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --__--__- To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Java security issue vs. struts?
... Where does Struts 2 run? In the browser, or on a server? Dave On Wed, Jan 16, 2013 at 5:06 PM, Emi Lu em...@encs.concordia.ca wrote: On 01/16/2013 04:54 PM, Emi Lu wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/**technetwork/topics/security/** alert-cve-2013-0422-1896849.**htmlhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html One more link: http://nakedsecurity.sophos.**com/2013/01/15/disable-java-** browsers-homeland-security/http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/ For example, would struts2-jfreechart considered as java-app run through web browser? Emi --**--**- To unsubscribe, e-mail: user-unsubscribe@struts.**apache.orguser-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- e: davelnew...@gmail.com m: 908-380-8699 s: davelnewton_skype t: @dave_newton https://twitter.com/dave_newton b: Bucky Bits http://buckybits.blogspot.com/ g: davelnewton https://github.com/davelnewton so: Dave Newton http://stackoverflow.com/users/438992/dave-newton
Re: Java security issue vs. struts?
On Wed, Jan 16, 2013 at 11:12 PM, Emi Lu em...@encs.concordia.ca wrote: On 01/16/2013 05:02 PM, Chris Pratt wrote: I believe the description says it all. This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. *These vulnerabilities are not applicable to Java running on servers,* standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. Thank you Chris. Moreover, if I call jfreechart to generate reports through web applications, it will not be affected, I believe? As long as you do not use Applets to output JFreechart data you should be fine (saying: if you generate images with JFreechart) Emi On Wed, Jan 16, 2013 at 1:54 PM, Emi Lu em...@encs.concordia.ca mailto:em...@encs.concordia.ca wrote: Hello, Does someone know how this java security issue related to struts framework? http://www.oracle.com/__technetwork/topics/security/__alert-cve-2013-0422-1896849.__html http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html Thanks a lot! Emi --__--__- To unsubscribe, e-mail: user-unsubscribe@struts.__apache.org mailto:user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org mailto:user-h...@struts.apache.org -- Emi Lu, ENCS, Concordia University, Montreal H3G 1M8 em...@encs.concordia.ca+1 514 848-2424 x5884 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- http://www.grobmeier.de https://www.timeandbill.de - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
