dhis2-devs team mailing list archive

Thread
Date

Re: Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

To: Bob Jolliffe <bobjolliffe@xxxxxxxxx>, Greg Wilson <gwilson@xxxxxxxxxxxxxx>
From: Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Sep 2017 14:44:17 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Stephen.Macauley@xxxxxxxxxxxxxxxxxxx;
Cc: "dhis2-devs@xxxxxxxxxxxxxxxxxxx" <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CACd=f9d-vk=b1HQv4nceh27RCRDF+-x0DxHsWp8z2=y_sRHtFQ@mail.gmail.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AdMtv+n3bp8fOxFESdShGsnxfGqvCgADbmcAAAwgNgAADLfFsA==
Thread-topic: [Dhis2-devs] Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

Bob and Greg, many thanks for your prompt responses.

-Stephen

-----Original Message-----
From: Bob Jolliffe [mailto:bobjolliffe@xxxxxxxxx] 
Sent: Friday, September 15, 2017 4:39 AM
To: Greg Wilson <gwilson@xxxxxxxxxxxxxx>
Cc: Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>; dhis2-devs@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Dhis2-devs] Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

DHIS2 is not vulnerable to this CVE.

On 15 September 2017 at 03:52, Greg Wilson <gwilson@xxxxxxxxxxxxxx> wrote:
> I asked the core team last week and they said DHIS2 does not use the 
> REST plugin that CVE-2017-9805 addresses. If this is not correct, I am 
> sure one of them will correct me in a couple hours.
>
> Greg Wilson
>
>
> On Thu, Sep 14, 2017 at 9:23 PM, Stephen Macauley 
> <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx> wrote:
>>
>> DHIS2 Developers and Community:
>>
>>
>>
>> I wanted to check if DHIS2 (specifically Version: 2.25 that includes 
>> the March 2017 patch for CVE-2017-5638) is vulnerable to the newly 
>> identified Struts exploit - CVE-2017-9805?
>>
>>
>>
>> More information available via these links:
>> https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisati
>> on-vulnerability-what-you-need-to-know/
>> and https://struts.apache.org/docs/s2-052.html
>>
>>
>>
>> As always, thanks for your prompt response and support of DHIS2!
>>
>>
>>
>> -Stephen
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
>
> --
> Greg Wilson
> BAO Systems
> gwilson@xxxxxxxxxxxxxx
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>

References

Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?
From: Stephen Macauley, 2017-09-15
Re: Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?
From: Greg Wilson, 2017-09-15
Re: Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?
From: Bob Jolliffe, 2017-09-15