[Spacewalk-list] Spacewalk Possible Remote Code Exploit Heads Up
Michael Mraka
michael.mraka at redhat.com
Thu Mar 9 09:03:37 UTC 2017
Eric:
> I certainly hope you are right. Though I believe the version you listed is the RedHat package, not the one in the jpackage repo that the install documents indicate. That is struts-1.3.8-2.jpp5.noarch. That version already pops in 3 different scanner products for other vulnerabilities.
Hello,
As Avi already mentioned CVE-2017-5638 is relevant to struts v2.
Spacewlk uses older struts v1. Security issues reported against v1
in the past has been fixed or mitigated by spacewalk configuration.
Regards,
> Happy Connecting. Sent from my Sprint Samsung Galaxy S® 5 Sport
>
> -------- Original message --------
>
> Hi,
>
> The CVE is applicable to struts2, while the version from JPackage is struts-1.3.10-12.el7.noarch. I’m assuming (hoping) that it’s actually too old to be vulnerable.
>
> Cheers,
> Avi
>
> > On 9 Mar 2017, at 5:49 am, Eric <ericb at enrsystems.com> wrote:
> >
> > CVE-2017-5638
> >
> > Struts. Our struts package is from the Generic Jpackage repository. The
> > struts rpm there has not been maintained for years. The current build
> > directions point at that repository, so I believe that makes ALL current
> > versions of Spacewalk, including 2.6, vulnerable.
> >
> > Thoughts? I believe it's applicable, but I may be mistaken, please correct me
> > if I'm wrong!!!
> >
> > If it is vulnerable, is there an alternative package that is known to work
> > with Spacewalk? I am facing the very real possibility of being required to
> > take my Spacewalk server offline today, a huge impact to my environment.
> >
> > Thanks!
--
Michael Mráka
System Management Engineering, Red Hat
More information about the Spacewalk-list
mailing list