dhis2-devs team mailing list archive

Thread
Date

CVE-2018-11776 struts exploit | impact to DHIS 2?

To: "dhis2-devs@xxxxxxxxxxxxxxxxxxx" <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
From: Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 7 Sep 2018 20:18:51 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Stephen.Macauley@xxxxxxxxxxxxxxxxxxx;
Cc: Matthew Dollacker <Matthew.Dollacker@xxxxxxxxxxxxxxxxxxx>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AdRG563t83MLsQfzTR2tIrLMJ2pt/w==
Thread-topic: CVE-2018-11776 struts exploit | impact to DHIS 2?

DHIS2 Dev Team,

Can you comment on the recent CVE-2018-11776<https://cwiki.apache.org/confluence/display/WW/S2-057> vulnerability in Struts 2.0 being contained in DHIS 2 (specially Version 2.25).  I did not see any recent threads about this on DHIS 2 DEV or USERS mailing lists.

Additional details on the vulnerability (and patch from Apache) is available here:  https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/?_ke=eyJrbF9lbWFpbCI6ICJtYXR0aGV3LmRvbGxhY2tlckBnbWFpbC5jb20iLCAia2xfY29tcGFueV9pZCI6ICJlN1lDM3UifQ%3D%3D

Many thanks in advance,
-Stephen

Follow ups

Re: CVE-2018-11776 struts exploit | impact to DHIS 2?
From: Morten Olav Hansen, 2018-09-10