dhis2-devs team mailing list archive

Thread
Date

Re: CVE-2018-11776 struts exploit | impact to DHIS 2?

To: Morten Olav Hansen <morten@xxxxxxxxx>
From: Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 11 Sep 2018 22:29:20 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Stephen.Macauley@xxxxxxxxxxxxxxxxxxx;
Cc: dhis2-users <dhis2-users@xxxxxxxxxxxxxxxxxxx>, Matthew Dollacker <Matthew.Dollacker@xxxxxxxxxxxxxxxxxxx>, dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAKzUaAcCq+GqyywJ0+zJpbH10MDmAQxQcLyRQi7M-Ro4i37A5Q@mail.gmail.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AdRG563t83MLsQfzTR2tIrLMJ2pt/wBt+FEAAF/MChA=
Thread-topic: [Dhis2-devs] CVE-2018-11776 struts exploit | impact to DHIS 2?

Hi, Morten.

Apologies for the late reply.  Thank you for confirming the vulnerability is not present.

Much appreciated.

-Stephen

From: Morten Olav Hansen <morten@xxxxxxxxx>
Sent: Sunday, September 9, 2018 8:45 PM
To: Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>
Cc: dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>; dhis2-users <dhis2-users@xxxxxxxxxxxxxxxxxxx>; Matthew Dollacker <Matthew.Dollacker@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Dhis2-devs] CVE-2018-11776 struts exploit | impact to DHIS 2?

Hi Stephan

Let me include Lars reply from a thread where we were discussing this.

"""
we did an assessment of this last week and concluded that we are not affected by this vulnerability. This due to the two conditions mentioned (use of namespaces and alwaysSelectFullNamespace config property).

That said we have patched all versions from 2.28 and later and you can fetch the new builds from dhis2.org/downloads<http://dhis2.org/downloads>.
"""

--
Morten Olav Hansen
Senior Engineer, DHIS 2
Team Integration Lead
University of Oslo
http://www.dhis2.org


On Sat, Sep 8, 2018 at 3:19 AM Stephen Macauley <Stephen.Macauley@xxxxxxxxxxxxxxxxxxx<mailto:Stephen.Macauley@xxxxxxxxxxxxxxxxxxx>> wrote:
DHIS2 Dev Team,

Can you comment on the recent CVE-2018-11776<https://cwiki.apache.org/confluence/display/WW/S2-057> vulnerability in Struts 2.0 being contained in DHIS 2 (specially Version 2.25).  I did not see any recent threads about this on DHIS 2 DEV or USERS mailing lists.

Additional details on the vulnerability (and patch from Apache) is available here:  https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/?_ke=eyJrbF9lbWFpbCI6ICJtYXR0aGV3LmRvbGxhY2tlckBnbWFpbC5jb20iLCAia2xfY29tcGFueV9pZCI6ICJlN1lDM3UifQ%3D%3D

Many thanks in advance,
-Stephen
_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-devs@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~dhis2-devs
More help   : https://help.launchpad.net/ListHelp

References

CVE-2018-11776 struts exploit | impact to DHIS 2?
From: Stephen Macauley, 2018-09-07
Re: CVE-2018-11776 struts exploit | impact to DHIS 2?
From: Morten Olav Hansen, 2018-09-10