I was reached out by our Security team stating that there was a struts Vulnerability and the applications needed to be upgraded.
The US-CERT page says:
The Apache Software Foundation has released an advisory to address a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior. A remote attacker could exploit this vulnerability to take control of an affected system. Struts versions from 2.5.12 are not affected.
NCCIC encourages users and administrators of Apache Struts versions 2.3.36 and prior to review the Apache security advisory for CVE-2016-1000031 and upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.
More details of CVE below.
I would like to know the Struts version of the Spectrum and which version of Spectrum is vulnerable and what version of the Spectrum will have a fix for this?
Same way would like to know the Struts version of CA-UIM and which versions of CA-UIM is Vulnerable and what version will have the fix for this?
Hope so CA SOI is not affected with this.
Expecting inputs and some valuable information.
We are planning to upgrade Struts post 10.3.1 release which will address this vulnerability. ETA for 10.3.1 is early Q1 calendar year 2019.
I was going through the "Third-Party Software License Acknowledgements" of 10.3.1. It shows me the Struts version 2.3.36. Which is still vulnerable according to the CVE-2016-1000031.
Joe helped with the Spectrum side.
I would advise you reach out to the different product teams for SOI and UIM to get answers there.
This board is monitored by Spectrum Support Engineers only.
Yes, I am opening new threads for SOI and UIM separately.