Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id F13B3200D0A for ; Wed, 4 Oct 2017 13:27:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id EFF571609E2; Wed, 4 Oct 2017 11:27:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 425C71609D6 for ; Wed, 4 Oct 2017 13:27:06 +0200 (CEST) Received: (qmail 84438 invoked by uid 500); 4 Oct 2017 11:27:05 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 84426 invoked by uid 99); 4 Oct 2017 11:27:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Oct 2017 11:27:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 6E23B1809E7 for ; Wed, 4 Oct 2017 11:27:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 4X4OM39NKYaw for ; Wed, 4 Oct 2017 11:27:00 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id C7FD75FBEE for ; Wed, 4 Oct 2017 11:27:00 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 50AA7E0051 for ; Wed, 4 Oct 2017 11:27:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 0F3E5242BF for ; Wed, 4 Oct 2017 11:27:00 +0000 (UTC) Date: Wed, 4 Oct 2017 11:27:00 +0000 (UTC) From: "Parthiban Palanisamy (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (WW-4867) Apache Struts framework 1.1 and 2.x vulnerability clarification MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 04 Oct 2017 11:27:07 -0000 Parthiban Palanisamy created WW-4867: ---------------------------------------- Summary: Apache Struts framework 1.1 and 2.x vulnerability clarification Key: WW-4867 URL: https://issues.apache.org/jira/browse/WW-4867 Project: Struts 2 Issue Type: Task Environment: apache Struts framework 1.1 Reporter: Parthiban Palanisamy Priority: Blocker Hello, I'm the active user of apache Struts framework 1.1 and 2.x. Recently we learned that there is a vulnerability in Apache Struts' Jakarta Multipart parser as high risk. This may lead to warning of remote code execution (RCE) attacks that were evident at Equifax which lead to complete system compromises. So I would like to take your inputs and understand the recent vulnerability over RCE is also affected 1.1/1.x versions precisely. If yes, could you please support with your thoughts over next course of action to resolve the issue? Thanks and appreciate your support at the earliest. Regards, Parthiban -- This message was sent by Atlassian JIRA (v6.4.14#64029)