Issue:
A newly found vulnerability in Apache Struts has raised concern among some users of Pentaho that they may be at-risk.
Pentaho has conducted an extensive review of our product and determined the classes noted in CVE-2017-5638 are not used within Pentaho.
Pentaho's configuration files do contain a reference to “spring-struts” however Pentaho does not ship struts jars nor struts classes in the codebase. Thus, Pentaho is not impacted and there is no reason for concern.
Removing the reference (feature definition) from the configuration file has no adverse effect on the application. Anyone wishing to remove this feature definition may follow the instructions below.
Details of this vulnerability may be found in CVE-2017-5638
Steps to remove:
1. Edit the <server installation path>\pentaho-solutions\system\karaf\system\org\apache\karaf\features\spring\<version>\spring-<version>-features.xml file
2. Remove the <feature name="spring-struts" ... > </feature> tags, and everything between them (this may occur twice in the file).
Specifically:
<feature name="spring-struts" version="3.1.4.RELEASE" description="Spring 3.1.x Struts support" resolver="(obr)">
<feature version="[3.1.4.RELEASE,3.2)">spring-web</feature>
<feature>war</feature>
<bundle start-level="30" dependency="true">mvn:commons-collections/commons-collections/3.2.2</bundle>
<bundle start-level="30" dependency="true">mvn:commons-beanutils/commons-beanutils/1.9.2</bundle>
<bundle start-level="30" dependency="true">mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.struts/1.3.10_1</bundle>
<bundle start-level="30">mvn:org.springframework/spring-struts/3.1.4.RELEASE</bundle>
</feature>
<feature name="spring-struts" version="3.2.11.RELEASE_1" description="Spring 3.2.x Struts support" resolver="(obr)">
<feature version="[3.2.11.RELEASE_1,3.3)">spring-web</feature>
<feature>war</feature>
<bundle start-level="30" dependency="true">mvn:commons-collections/commons-collections/3.2.2</bundle>
<bundle start-level="30" dependency="true">mvn:commons-beanutils/commons-beanutils/1.9.2</bundle>
<bundle start-level="30" dependency="true">mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.struts/1.3.10_1</bundle>
<bundle start-level="30">mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-struts/3.2.11.RELEASE_1</bundle>
</feature>
If you have any questions, please visit Pentaho’s Support Portal and open a ticket referencing this article.
Comments