dhis2-devs team mailing list archive

Thread
Date

Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

To: "dhis2-devs@xxxxxxxxxxxxxxxxxxx" <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Sep 2017 01:23:11 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Stephen.Macauley@xxxxxxxxxxxxxxxxxxx;
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AdMtv+n3bp8fOxFESdShGsnxfGqvCg==
Thread-topic: Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

DHIS2 Developers and Community:

I wanted to check if DHIS2 (specifically Version: 2.25 that includes the March 2017 patch for CVE-2017-5638) is vulnerable to the newly identified Struts exploit - CVE-2017-9805?

More information available via these links: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-what-you-need-to-know/ and https://struts.apache.org/docs/s2-052.html

As always, thanks for your prompt response and support of DHIS2!

-Stephen

Follow ups

Re: Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?
From: Greg Wilson, 2017-09-15