DX NetOps

Expand all | Collapse all

Apache Struts vulnerablity- CVE-2016-1000031

  • 1.  Apache Struts vulnerablity- CVE-2016-1000031

    Posted 11-28-2018 01:18 PM

    Hi Team,

     

    I was reached out by our Security team stating that there was a struts Vulnerability and the applications needed to be upgraded.

     

    The US-CERT page says:

     

    The Apache Software Foundation has released an advisory to address a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior. A remote attacker could exploit this vulnerability to take control of an affected system. Struts versions from 2.5.12 are not affected.

    NCCIC encourages users and administrators of Apache Struts versions 2.3.36 and prior to review the Apache security advisory for CVE-2016-1000031 and upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.

     

    More details of CVE below.

     

    http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E

     

     

    I would like to know the Struts version of the Spectrum and which version of Spectrum is vulnerable and what version of the Spectrum will have a fix for this?

     

    Same way would like to know the Struts version of CA-UIM and which versions of CA-UIM is Vulnerable and what version will have the fix for this?

     

    Hope so CA SOI is not affected with this.

     

    Expecting inputs and some valuable information.

     

    Thank You!

    Saju Mathew



  • 2.  Re: Apache Struts vulnerablity- CVE-2016-1000031

    Posted 12-06-2018 07:48 AM

    Saju,

     

    We are planning to upgrade Struts post 10.3.1 release which will address this vulnerability. ETA for 10.3.1 is early Q1 calendar year 2019.

     

    Joe



  • 3.  Re: Apache Struts vulnerablity- CVE-2016-1000031

    Posted 01-22-2019 11:40 AM

    Hi Joe,

     

    I was going through the "Third-Party Software License Acknowledgements" of 10.3.1. It shows me the Struts version 2.3.36. Which is still vulnerable according to the CVE-2016-1000031.

     

    Regards,

    Saju Mathew



  • 4.  Re: Apache Struts vulnerablity- CVE-2016-1000031

    Posted 12-06-2018 07:57 AM

    Joe helped with the Spectrum side.

    I would advise you reach out to the different product teams for SOI and UIM to get answers there.

    This board is monitored by Spectrum Support Engineers only.

     

    Thanks

    Matt



  • 5.  Re: Apache Struts vulnerablity- CVE-2016-1000031

    Posted 01-22-2019 11:41 AM

    Thanks Matt,

     

    Yes, I am opening new threads for SOI and UIM separately. 

     

    Regards,

    Saju Mathew