Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

On Thu, Sep 14, 2017 at 9:23 PM, Stephen Macauley Stephen.Macauley@inductivehealth.com wrote:

DHIS2 Developers and Community:

I wanted to check if DHIS2 (specifically Version: 2.25 that includes the March 2017 patch for CVE-2017-5638) is vulnerable to the newly identified Struts exploit - CVE-2017-9805?

More information available via these links:
https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-what-you-need-to-know/ and https://struts.apache.org/docs/s2-052.html

As always, thanks for your prompt response and support of DHIS2!

-Stephen

---

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

–

Greg Wilson
BAO Systems

gwilson@baosystems.com

On 15 September 2017 at 03:52, Greg Wilson <gwilson@baosystems.com> wrote:

I asked the core team last week and they said DHIS2 does not use the REST
plugin that CVE-2017-9805 addresses. If this is not correct, I am sure one
of them will correct me in a couple hours.

Greg Wilson

On Thu, Sep 14, 2017 at 9:23 PM, Stephen Macauley > <Stephen.Macauley@inductivehealth.com> wrote:

DHIS2 Developers and Community:

I wanted to check if DHIS2 (specifically Version: 2.25 that includes the
March 2017 patch for CVE-2017-5638) is vulnerable to the newly identified
Struts exploit - CVE-2017-9805?

More information available via these links:
Naked Security – Sophos News
and S2-052 - Apache Struts 2 Wiki - Apache Software Foundation

As always, thanks for your prompt response and support of DHIS2!

-Stephen

_______________________________________________
Mailing list: DHIS 2 developers in Launchpad
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : DHIS 2 developers in Launchpad
More help : ListHelp - Launchpad Help

--
Greg Wilson
BAO Systems
gwilson@baosystems.com

_______________________________________________
Mailing list: DHIS 2 developers in Launchpad
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : DHIS 2 developers in Launchpad
More help : ListHelp - Launchpad Help

-----Original Message-----
From: Bob Jolliffe [mailto:bobjolliffe@gmail.com]
Sent: Friday, September 15, 2017 4:39 AM
To: Greg Wilson <gwilson@baosystems.com>
Cc: Stephen Macauley <Stephen.Macauley@inductivehealth.com>; dhis2-devs@lists.launchpad.net
Subject: Re: [Dhis2-devs] Latest Struts exploit - CVE-2017-9805 | impact to DHIS2?

DHIS2 is not vulnerable to this CVE.

On 15 September 2017 at 03:52, Greg Wilson <gwilson@baosystems.com> wrote:

I asked the core team last week and they said DHIS2 does not use the
REST plugin that CVE-2017-9805 addresses. If this is not correct, I am
sure one of them will correct me in a couple hours.

Greg Wilson

On Thu, Sep 14, 2017 at 9:23 PM, Stephen Macauley > <Stephen.Macauley@inductivehealth.com> wrote:

DHIS2 Developers and Community:

I wanted to check if DHIS2 (specifically Version: 2.25 that includes
the March 2017 patch for CVE-2017-5638) is vulnerable to the newly
identified Struts exploit - CVE-2017-9805?

More information available via these links:
Naked Security – Sophos News
on-vulnerability-what-you-need-to-know/
and S2-052 - Apache Struts 2 Wiki - Apache Software Foundation

As always, thanks for your prompt response and support of DHIS2!

-Stephen

_______________________________________________
Mailing list: DHIS 2 developers in Launchpad
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : DHIS 2 developers in Launchpad
More help : ListHelp - Launchpad Help

--
Greg Wilson
BAO Systems
gwilson@baosystems.com

_______________________________________________
Mailing list: DHIS 2 developers in Launchpad
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : DHIS 2 developers in Launchpad
More help : ListHelp - Launchpad Help