[IPT] Security update

Laura Russell larussell at vertnet.org
Mon Sep 23 17:00:59 CEST 2013

I'd be interested in knowing the outcomes of the CentOs patching as several
of the institutions I support or advise on their IPTs use CentOs.  I'm just
getting ready to email all of them now to get to work on this.

Laura Russell
VertNet Programmer
KU Biodiversity Institute
1345 Jayhawk Blvd.
Dyche Hall, Room 606
Lawrence, KS 66045

Phone: +01 785 864-4681
Fax: +01 785 864-5335

email: larussell at vertnet.org
email: larussell at ku.edu

Skype: laura.anne.russell
Gchat: larussell at vertnet.org

url: www.vertnet.org

From:  "Tim Robertson [GBIF]" <trobertson at gbif.org>
Date:  Monday, September 23, 2013 9:53 AM
To:  Mickael Graf <Mickael.Graf at nrm.se>
Cc:  "IPT at lists.gbif.org list" <ipt at lists.gbif.org>, Anders Telenius
<Anders.Telenius at nrm.se>
Subject:  Re: [IPT] Security update

Hej Mickael, 

Thanks for taking action.

Can you share your catalina logs please?  This could be well a conflict in
dependencies or similar.  We'll help diagnose.  If you would rather not CC
everyone, please contact Kyle and myself directly and CC only those you are
happy to discuss details with.

As an aside - those OS and tomcat versions are quite ancient.  There could
well be other security holes in your system for other reasons, so I'd
suggest scheduling some upgrades for safety reasons when it fits with your
other deployments - most likely you are aware of this though.


On Sep 23, 2013, at 4:42 PM, Mickael Graf wrote:

> Dear all,
> I went through the all steps and now, although I have a nice
> $tomcat/webapps/ipt directory I have a not so nice error 404 while trying to
> access the app for completing the installation. "The requested resource () is
> not available." it says...
> I don't know if the reason is my old centos 5/tomcat 5 or an error in ipt.war,
> but I would bet on the latter.
> Cheers
> Mickaël
> From: ipt-bounces at lists.gbif.org [ipt-bounces at lists.gbif.org] on behalf of
> Kyle Braak [GBIF] [kbraak at gbif.org]
> Sent: Monday, September 23, 2013 12:31
> To: IPT at lists.gbif.org list
> Subject: [IPT] Security update
> Dear IPT users,
> This is an important message.
> IPT administrators should update their IPTs to the new version which has a
> security update and was released yesterday:
> https://code.google.com/p/gbif-providertoolkit/
> The security update fixes critical vulnerabilities that have been discovered
> in the Apache Struts web framework, which the IPT uses.
> According to this article
> <http://www.computerworld.com/s/article/9241639/Hackers_target_servers_running
> _Apache_Struts_apps?source=CTWNLE_nlt_security_2013-08-15> , these Struts
> vulnerabilities allow hackers to break into a server. It goes on to say that
> hackers are actively exploiting these vulnerabilities.
> Simple instructions on how to update your IPT are below. If you don't have
> time to update your IPT immediately, I would advise you to take it offline
> until you can.
> You can refer to this article
> <https://www.mandiant.com/blog/responding-attacks-apache-struts2/> , which
> describes how to determine if you have been attacked.
> Please email the IPT list directly for more help upgrading your installation.
> Sincerely,
> Kyle, on behalf of the IPT development team and the GBIF Secretariat
> Instructions how to update IPT in Tomcat:
> 1. Please download:
> https://gbif-providertoolkit.googlecode.com/files/ipt-2.0.5-security-update-1.
> war
> 2. Backup IPT data directory somewhere safe
> 3. Remove ipt.war from $tomcat/webapps/ (some seconds later, the deployed /ipt
> folder should automatically delete)
> 4. Once ipt.war and /ipt have been removed from /webapps - stop Tomcat
> 5. Add new version to /webapps renaming it from
> ipt-2.0.5-security-update-1.war to ipt.war
> 6. Start Tomcat
> 7. In a browser open the application (if it doesn't appear at first, try
> restarting Tomcat once more).
> 8. When prompted for IPT data directory, enter same location as existing IPT
> data directory 
> 9. Press continue, hopefully installation succeeds.
> _______________________________________________
> IPT mailing list
> IPT at lists.gbif.org
> http://lists.gbif.org/mailman/listinfo/ipt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gbif.org/pipermail/ipt/attachments/20130923/db3632e9/attachment-0001.html 

More information about the IPT mailing list