RE: Apache Struts 2 Vulnerability in Tomcat 7.x
Hi Markus , Thanks. So can I rephrase that unless we add/deploy struts applications/libraries on Tomcat , vanilla installed Tomcat is not impacted by the mentioned vulnerability in Struts? -Original Message- From: i...@flyingfischer.ch [mailto:i...@flyingfischer.ch] Sent: Friday, 8 September, 2017 5:12 PM To: users@tomcat.apache.org Subject: Re: Apache Struts 2 Vulnerability in Tomcat 7.x Am 08.09.2017 um 10:59 schrieb Billy Aung Myint: > Hi Everyone, > > May I know if Tomcat 7.x version is affected by the Apache Struts 2 > vulnerability? > I mean does Tomcat uses any of the Struts' libraries or such in any part of > the Tomcat? > > Thanks! > Tomcat is affected by Tomcat vulnerabilities, Struts is affected by Struts vulnerabilities. If you deploy old and not uptodate Struts libraries in Tomcat, then you will be exposed to the corresponding exploits. In this case, as always and independent of the nature of the component: upgrade to the latest available version and or use other measure to block attacking requests. Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Struts 2 Vulnerability in Tomcat 7.x
On 08/09/17 09:59, Billy Aung Myint wrote: > Hi Everyone, > > May I know if Tomcat 7.x version is affected by the Apache Struts 2 > vulnerability? Which one? I'm guessing you mean CVE-2017-9805. It actually doesn't matter in this case but security vulnerabilities are given identifiers exactly so they can be referred to unambiguously. Struts has had quite a few vulnerabilities so it is not obvious from your query which one you are referring to. > I mean does Tomcat uses any of the Struts' libraries or such in any part of > the Tomcat? No currently supported version of Apache Tomcat has any dependency on any version of Struts. Applications that might have been deployed on Tomcat may still have dependencies on Struts and you'd need to approach the providers of each of those applications for more information. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Struts 2 Vulnerability in Tomcat 7.x
Am 08.09.2017 um 10:59 schrieb Billy Aung Myint: > Hi Everyone, > > May I know if Tomcat 7.x version is affected by the Apache Struts 2 > vulnerability? > I mean does Tomcat uses any of the Struts' libraries or such in any part of > the Tomcat? > > Thanks! > Tomcat is affected by Tomcat vulnerabilities, Struts is affected by Struts vulnerabilities. If you deploy old and not uptodate Struts libraries in Tomcat, then you will be exposed to the corresponding exploits. In this case, as always and independent of the nature of the component: upgrade to the latest available version and or use other measure to block attacking requests. Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache Struts 2 Vulnerability in Tomcat 7.x
Hi Everyone, May I know if Tomcat 7.x version is affected by the Apache Struts 2 vulnerability? I mean does Tomcat uses any of the Struts' libraries or such in any part of the Tomcat? Thanks!