[Thread Prev][Thread Next][Index]

[las_users] Re: [EXTERNAL] Re: LAS struts security issue - need to upgrade to struts 2.5.25



Yes, those are the steps except this time you will be replacing the current strut2 jar with struts2-core-2.5.26.jar.

Roland

On Wed, Jan 13, 2021 at 1:07 PM Bryan Littlefield <bryan.littlefield@xxxxxxxxxx> wrote:

Hi Roland,

Thanks for the quick turnaround.

We might try doing a rebuild to see if we can keep the customizations we have made.

Below is what we would do, do we ever need to do a “ant build” ?

 

If you don't want to upgrade your entire code base replace the file:

Web Content/WEB-INF/lib/struts2-core-2.5.13.jar with struts2-core-2.5.17.jar

and execute

ant clean

ant deploy

 

Thanks --Bryan

 

 

***************************************************************

Bryan Littlefield | Email : bryanl.littlefield@xxxxxxxxxx

Science Systems and Applications, Inc. | (626)508-9403

***************************************************************

 

From: Roland Schweitzer - NOAA Affiliate <roland.schweitzer@xxxxxxxx>
Sent: Wednesday, January 13, 2021 11:28 AM
To: Bryan Littlefield <bryan.littlefield@xxxxxxxxxx>
Cc: las_users@xxxxxxxx
Subject: [EXTERNAL] Re: LAS struts security issue - need to upgrade to struts 2.5.25

 

Bryan,

 

I built a tar file with the new library. I've tested it a bit. You can also just replace the library and recompile.

 

Roland

 

 

 

On Tue, Jan 12, 2021 at 10:46 PM Bryan Littlefield <bryan.littlefield@xxxxxxxxxx> wrote:

HI Roland,

NASA opened another security ticket on our LAS with regards to Struts, we have structs 2.5.25 but need to upgrade to struts 2.5.26

We have some custom content in webapps that would get wiped out by a “ant clean/deploy” operation, so we hesitate to rebuild.

If you can create a new version with the upgraded struts version, that might be best like you did for this release:

https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.10.

 

From Security: This needs to be resolved within 14 calendar days.

#19510: High Vulnerability: Apache Struts 2.x < 2.5.26 RCE (S2-061) (143599)

https://www.tenable.com/plugins/nessus/143599

 

Thanks again –Bryan

 

***************************************************************

Bryan Littlefield | Email : bryanl.littlefield@xxxxxxxxxx

Science Systems and Applications, Inc. | (626)508-9403

***************************************************************

 


 

--

The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce or the National Oceanic and Atmospheric Administration.



--
The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce or the National Oceanic and Atmospheric Administration.

[Thread Prev][Thread Next][Index]


Contact Us
Dept of Commerce / NOAA / OAR / PMEL / TMAP

Privacy Policy | Disclaimer | Accessibility Statement