[las_users] Re: [EXTERNAL] Re: LAS struts security issue

[las_users] Re: [EXTERNAL] Re: LAS struts security issue - need to upgrade to struts 2.5.25

To: Bryan Littlefield <bryan.littlefield@xxxxxxxxxx>

Subject: [las_users] Re: [EXTERNAL] Re: LAS struts security issue - need to upgrade to struts 2.5.25

From: Roland Schweitzer - NOAA Affiliate <roland.schweitzer@xxxxxxxx>

Date: Tue, 14 Jun 2022 10:07:26 -0700

Arc-authentication-results: i=2; mx.google.com; dkim=pass header.i=@noaa.gov header.s=google header.b=R5hlp4TM; spf=pass (google.com: domain of roland.schweitzer@xxxxxxxx designates 209.85.220.41 as permitted sender) smtp.mailfrom=roland.schweitzer@xxxxxxxx; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=noaa.gov

Arc-authentication-results: i=1; mx.google.com; dkim=pass header.i=@noaa.gov header.s=google header.b=R5hlp4TM; spf=pass (google.com: domain of roland.schweitzer@xxxxxxxx designates 209.85.220.41 as permitted sender) smtp.mailfrom=roland.schweitzer@xxxxxxxx; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=noaa.gov

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-archive:list-help:list-post:list-id:mailing-list:precedence:cc :to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=dWaXd/XJrVVDSs581dg6MUigQfKzyuHwx6DjkSoo3GU=; b=Iz4tAX78PCw/rxCUIT9uuUkKvW6PpJ9CYgcH8SYeRGafRzajg2KNSRZ5vFVKYQxnSp i8hVcTWPVmPzKyjuk0cB6dBk+hYxOjWek6VP3UEYQmgrgFsYU9EWsUW5Jn/xaLi35X6D mwZg/nv4/TLb4I50TiSDs2Qkpx22pQ9L7ZpcQzhHMIORwPG3tP6LC6S8LAPLJmbhrLYF 2dMGpfUHlMh2hvhdgAMY2c367J+7AQSRpVnmdfiQkJyJ8YsIVEUgySYM9+5dNCMOfvnO LbupQtKswZQE+GW/M7HSEieCFIcfK7HfUSuCxToZIxBVEW9MCmw6G1oqs88rwNoP2i44 IHhQ==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=dWaXd/XJrVVDSs581dg6MUigQfKzyuHwx6DjkSoo3GU=; b=TjGHs1hdtJb4Giccz65y4fYwhhRLFNchngFTgwkB8gFuaL8LhEvGPvl6tH6YDCdHgD b0cy5kzPru3agzCBd6w0GJcIiXBiLzQ60jprUWPDBmAsFJXBOVBJxLnmBpAtx5eNu4P6 5Oam7nZouxOal+qHuDgA04LvOdNdbH3c+Ttctdc6dgDuNa4Uy1NXJsHSe30E5OM+7RFj B2px/Z+1DPLGU/DqfiMP+k95HImUFeIwQW+RCznpf12dx8EAKQcLxfQPhqMNp89bj+Va 0T0ZFrPn/FJcpjxu4hxkRILoKhLHtCaqG4vRaxM7KPpBcfofSbVjTHvJaVMLQtw1uotv 99Sg==

Arc-seal: i=2; a=rsa-sha256; t=1655226459; cv=pass; d=google.com; s=arc-20160816; b=sKh03gr9gBHipYUGFKxUua3hjgG/btqPsH/4hzuEGPQ2VjbcfUYrEkOtlaOrELQB+2 YtF+RIITaXxe2zgycFCRkPYnxP0h74ACwdGtJXVN56BiRmoolBCZJpTUtgYgkB4fFi7B KDILjueNgo333hXhUHswRxFh4zPbZhWdM/jzsDpc54dkTQI5/AKVrhFVeSY1e/rluydU IQis5ZpqfN+WSEaHu19CvDs02CCYe4XumgUljhYDo58PQ9okXf5iidNcWlNVNxBOFmGP Otn0bmco0q6BDnBakGhxerpnkzW9s8TI/LWZDu1BVJBIV6k27zniFfuzd6xjNvLwz/y8 /Ahw==

Arc-seal: i=1; a=rsa-sha256; t=1655226457; cv=none; d=google.com; s=arc-20160816; b=XiPvPnG7k5WMix0QXkW3KbGdBGkoe+RhZmqq93AJzpc5NJzJwYA54VG4RjdcnO792W Wa41AzOGXeq457xL2tAdVv1X5NPOvnoXqyiWiYy/jFCJVLsXqLKd//N2selSIjIoWkgy s44TzqnVqmIhgwQY4zZq0M6/FfULgR+KJepNB3HkKuKNk5eskOJPGAZwJvaIXsRx+qYX ir1FouY4TY/RDFBxXDXncm9KB5B0cZs/7zaPcETCUMgkTTA+ow1qHRmoMzd4XHBPW88E /ro2PX9vH4h83VQF18WRv2FA+uu/AOMnH68ksUBksxZNOkyq+l8ta8ZyrXrsZZpu7a7R MZHg==

Cc: "las_users@xxxxxxxx" <las_users@xxxxxxxx>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=noaa.gov; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive; bh=dWaXd/XJrVVDSs581dg6MUigQfKzyuHwx6DjkSoo3GU=; b=eoYDIgWU0OhCdAeCQxjXifcDQL495fSaO+9RUGF5Mnhc+GFX6SMS2D/cT53aJK6z44 0WDABYIXofCktMfeUgeHMGdYqcSXTn/pkRDHuPDARXN4Tci1vh4UTnwfkQzJNYnhOPyK qjFjak965/aWAfv2kYHiK6Uu7He2CyaMElgr/ymLkJMAJLpfG+KPsKe4/Bmmtk8p09DX LNgDq4hnWiJhTo1Sr1z1cAdfikHQOa+HtB9sHLuBtihNwzj/9UNodeOJHDrEqgEMB3Td uMJ7TCCKaiBBeHWdi2DOua4ZKvf63ey6/jEHtTfSzjSViru4Xh3l36dVNII7LIUm8ODG c3hw==

In-reply-to: <SJ0PR17MB485518A2102BA37A23F19E3782AB9@SJ0PR17MB4855.namprd17.prod.outlook.com>

List-archive: <https://groups.google.com/a/noaa.gov/group/las_users/>

List-help: <https://support.google.com/a/noaa.gov/bin/topic.py?topic=25838>, <mailto:las_users+help@noaa.gov>

List-id: <las_users.noaa.gov>

List-post: <https://groups.google.com/a/noaa.gov/group/las_users/post>, <mailto:las_users@noaa.gov>

Mailing-list: list las_users@xxxxxxxx; contact las_users+owners@xxxxxxxx

References: <MN2PR17MB35193478B99C6BFF04E0260282A90@MN2PR17MB3519.namprd17.prod.outlook.com> <CAFzBDArGb=rnFcLVUXXHLvJXf-C6xpnnhiTWP26f2sT5=N7zYQ@mail.gmail.com> <SJ0PR17MB485518A2102BA37A23F19E3782AB9@SJ0PR17MB4855.namprd17.prod.outlook.com>

Sender: owner-las_users@xxxxxxxx

All,

You can pick up the new release (https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.18), but the only change is the struts2-core jar. Replacing the jar file file in your LAS_HOME directory, then doing "ant clean; ant deploy" to install it will be the same as what's in the tar.

Roland

On Mon, Jun 13, 2022 at 2:18 PM Bryan Littlefield <bryan.littlefield@xxxxxxxxxx> wrote:

Hi Roland,

We got a new Struts vulnerability ticket from NASA.

#23037: High Vulnerability: Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062) (159667)

Path : /usr/local/tomcat/webapps/EarthSystemLAS/WEB-INF/lib/struts2-core-2.5.26.jar

Installed version : 2.5.26

Fixed version : 2.5.30

Let me know if you can create a new version for us. Or let us know how we upgrade to the new struts version.

--Bryan

Description: The version of Apache Struts installed on the remote host is prior to 2.5.30. It is, therefore, affected by a vulnerability as referenced in the S2-062 advisory.- The fix issued for CVE-2020-17530 ( S2-061 ) was incomplete. Still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. (CVE-2021-31805)

Solution: Upgrade to Apache Struts version 2.5.30 or later. Alternatively, apply the workaround as referenced in in the vendor's security bulletin

See Also: https://cwiki.apache.org/confluence/display/WW/S2-062

From: Roland Schweitzer - NOAA Affiliate <roland.schweitzer@xxxxxxxx>
Sent: Wednesday, January 13, 2021 11:28 AM
To: Bryan Littlefield <bryan.littlefield@xxxxxxxxxx>
Cc: las_users@xxxxxxxx
Subject: [EXTERNAL] Re: LAS struts security issue - need to upgrade to struts 2.5.25

Bryan,

I built a tar file with the new library. I've tested it a bit. You can also just replace the library and recompile.

Roland

https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.13

On Tue, Jan 12, 2021 at 10:46 PM Bryan Littlefield <bryan.littlefield@xxxxxxxxxx> wrote:

HI Roland,

NASA opened another security ticket on our LAS with regards to Struts, we have structs 2.5.25 but need to upgrade to struts 2.5.26

We have some custom content in webapps that would get wiped out by a “ant clean/deploy” operation, so we hesitate to rebuild.

If you can create a new version with the upgraded struts version, that might be best like you did for this release:

https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.10.

From Security: This needs to be resolved within 14 calendar days.

#19510: High Vulnerability: Apache Struts 2.x < 2.5.26 RCE (S2-061) (143599)

https://www.tenable.com/plugins/nessus/143599

Thanks again –Bryan

***************************************************************

Bryan Littlefield | Email : bryanl.littlefield@xxxxxxxxxx

Science Systems and Applications, Inc. | (626)508-9403

***************************************************************

--

The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce or the National Oceanic and Atmospheric Administration.

You can call or text me at: ‪(425) 666-9624‬

The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce or the National Oceanic and Atmospheric Administration.