[las_users] Re: LAS struts security issue - need to upgrade to struts 2.5.25

To: Bryan Littlefield <bryan.littlefield@xxxxxxxxxx>

Subject: [las_users] Re: LAS struts security issue - need to upgrade to struts 2.5.25

From: Roland Schweitzer - NOAA Affiliate <roland.schweitzer@xxxxxxxx>

Date: Tue, 27 Oct 2020 08:56:16 -0700

Arc-authentication-results: i=2; mx.google.com; dkim=pass header.i=@noaa.gov header.s=google header.b="HQX/AJf4"; spf=pass (google.com: domain of roland.schweitzer@xxxxxxxx designates 209.85.220.41 as permitted sender) smtp.mailfrom=roland.schweitzer@xxxxxxxx; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=noaa.gov

Arc-authentication-results: i=1; mx.google.com; dkim=pass header.i=@noaa.gov header.s=google header.b="HQX/AJf4"; spf=pass (google.com: domain of roland.schweitzer@xxxxxxxx designates 209.85.220.41 as permitted sender) smtp.mailfrom=roland.schweitzer@xxxxxxxx; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=noaa.gov

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-archive:list-help:list-post:list-id:mailing-list:precedence:cc :to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=nkFQqy408rLNDxjxnK53yjEbmfuvwAWmZw7lg0GVbMQ=; b=h4TFVCUSLeYfyhPwc0bFiUbCV6jzptuXz1R52TNr/887AobRW1HzwNmFldrIvnXU7M mIAVoE8S+PGMIJwy4Szv7dCOEgWnlYS/5nX/t+fjkCV48XdmzoNoYmuYujqyGCa8q3+4 ro9t1zOF9VbJgN+qcxZbhSpYqDtvypEU4YCwv+w+0JG4S6nSaQ9eRLVgtauqWljzzdRg L4YgXJdYerYKkPx6kCyW8/9jI2sUY24HqOa9ZKc7n2FIUxZ8DUjqq5F2OzXylvdE7hY5 qHH15fxqDLtHomEbPKFbdtrnAiRnooBab4Aj0Ql1yRstE/nnbjFc2RX3f/v3jnZlxQav tbQQ==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=nkFQqy408rLNDxjxnK53yjEbmfuvwAWmZw7lg0GVbMQ=; b=HwQStEIf4jS4PdiK77JGjKNtfbknS6MkwetI2fFVd/LhiXPexl3o23bSM6eYgsq76I xX+LrBQ2tP/HCvg/E68bbv6gnQ43//Umv1ZQL7RMUuHgMy5EM3gn31c3b7Oi+Cnw1KxK /NIy99wFifH+dd+VNDd1pJUIRxtWpEfBvZNoJoG+DIQASI5jtKMVa721BrPsawNE1mT2 wBbXRssahI1jgIobFkKWBu/rMSl/l3G/7jmfUDRWuU05dYA7LNOMZ3A1keZBn9noh7e6 DI924BwS7GURVJ4dJT7w4lOaNf3xJXO4s1/T5z9GQKf8DG1/mPX5qnUpVS2dp4oCF4gy M2mw==

Arc-seal: i=2; a=rsa-sha256; t=1603814189; cv=pass; d=google.com; s=arc-20160816; b=pkSlPcO3XmXerKadPAba/Kz6aXnS32foWRBika5HnvWm7MGjAfC0SjMcljFNcHDt1E Ge402npvJpjUCa+gn82tQIcWCLIeAqFoXwZTPKFUrkhFPgOj5QFYLBaN0NlqF+Oag7OO Ba31k8AJwggUvoe6+bCWWjlflziPQ3y78ej1cml6fJ1Lh8/T8xiTADHR2h3qKGt6ly+G Q05K4uKaTWMCftvpTqRg5lqZEIIa41aOp5u+vw9UAMsJoR/4xQMRkQBpab62fQ0drnC2 iXSgV1J7vIW3e9pJf5cSOJAvnruChOmsIUb792068XmsYMt/iQwfdqagYEBiUUPYXVG+ fbSw==

Arc-seal: i=1; a=rsa-sha256; t=1603814187; cv=none; d=google.com; s=arc-20160816; b=HrkMfX7tNEpCccFB/ukC3gV/GAWDw8QRpP/J+HfHfZiyjlRB3maZOwvyZW1Rn3HGkK G0SFArbL0NViVNZCbL0c9TEr/AKsE22Y+ju8OGmwd3HMGGjfb3cfKi6I6kW1X0Vxg9zP 8uUqJ38lj11nzEJrpvinE3908cSzkzjNRPakw4yOeNQndiQ//NwB1W0zFc2eNNnasaiy E53v1k3kR6lGFL035VeD1wpjpuUaP9OHjn4hfXKeLjqHyIbslPyHHjkgPEj0eNXjHcn0 VLsT3hmSR+S0TJbYzOPpXdNmopMbBuLzc+qzE8Sxrj3dDmCtiM4Gmh8YcPWWtA1HD1Sf V2bA==

Cc: "las_users@xxxxxxxx" <las_users@xxxxxxxx>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=noaa.gov; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive; bh=nkFQqy408rLNDxjxnK53yjEbmfuvwAWmZw7lg0GVbMQ=; b=I+GwW7ya7y/lTSIcgIzwK4hvrVk6lcxhU1sq/8gVybCl/kjmVcOauKPhxL6yO8wsBb GHGVJ5TthO12d15Jkw2GIU7qJmssg9FdeXwiMvSvcy0mlWdVGGfuIaR7c+xWZytyfCom hPQ9YFaWXGRLM/ZQ3JTAV6GStb9/gROgldetqRbswfb9bEpt9sETuTUSTiHyqQHWpDi2 sqMuTZwhkXgmW8G7erktcU6vX85QB3KUQ2lcREZuHKm/H2QrAtLIpCI9rc93W3vo/XKp 2IQUOjrM/CHbw6ZQhDprkF80bHXnp1uNcFZ443PckkC/RuX1gYeidyQW7ueeEzBNxZNc /rqg==

In-reply-to: <MN2PR17MB351926728207E889749E3A8582190@MN2PR17MB3519.namprd17.prod.outlook.com>

List-archive: <https://groups.google.com/a/noaa.gov/group/las_users/>

List-help: <https://support.google.com/a/noaa.gov/bin/topic.py?topic=25838>, <mailto:las_users+help@noaa.gov>

List-id: <las_users.noaa.gov>

List-post: <https://groups.google.com/a/noaa.gov/group/las_users/post>, <mailto:las_users@noaa.gov>

Mailing-list: list las_users@xxxxxxxx; contact las_users+owners@xxxxxxxx

References: <MN2PR17MB351926728207E889749E3A8582190@MN2PR17MB3519.namprd17.prod.outlook.com>

Sender: owner-las_users@xxxxxxxx

Bryan,

I made a release which upgrades LAS 8 to use Struts 2 2.5.25. You can find it here: https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.10.

Thanks for letting me know. I hope this helps.

Roland

On Mon, Oct 26, 2020 at 4:09 PM Bryan Littlefield <bryan.littlefield@xxxxxxxxxx> wrote:

HI Roland,

NASA opened a security ticket on our LAS with regards to Struts, we have structs 2.5.17 but need to upgrade to struts 2.5.25.

How do we upgrade structs, can we replace the JAR with the update one? Or do we have rebuild with ant (info below from github) ?

We have some custom content in webapps that would get wiped out by a “ant clean/deploy” operation, so we hesitate to rebuild.

If you got a new version with the upgraded struts version, that might be best.

Thanks --Bryan

https://github.com/NOAA-PMEL/LAS/releases

This release upgrades to the latest Struts 2 library (2.5.17) which addresses a potential vulnerability.

It includes some minor code changes and bug fixes.

If you don't want to upgrade your entire code base replace the file:

Web Content/WEB-INF/lib/struts2-core-2.5.13.jar with struts2-core-2.5.17.jar

and execute

ant clean

ant deploy

to install the changes.

***************************************************************

Bryan Littlefield | Email : bryanl.littlefield@xxxxxxxxxx

Science Systems and Applications, Inc. | (626)508-9403

***************************************************************

The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce or the National Oceanic and Atmospheric Administration.