DX NetOps

Hi Team,

I was reached out by our Security team stating that there was a struts Vulnerability and the applications needed to be upgraded.

The US-CERT page says:

The Apache Software Foundation has released an advisory to address a vulnerable commons-fileupload library used in Apache Struts versions 2.3.36 and prior. A remote attacker could exploit this vulnerability to take control of an affected system. Struts versions from 2.5.12 are not affected.

NCCIC encourages users and administrators of Apache Struts versions 2.3.36 and prior to review the Apache security advisory for CVE-2016-1000031 and upgrade to the latest released version of Commons FileUpload library, which is currently 1.3.3.

More details of CVE below.

http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E

I would like to know the Struts version of the Spectrum and which version of Spectrum is vulnerable and what version of the Spectrum will have a fix for this?

Same way would like to know the Struts version of CA-UIM and which versions of CA-UIM is Vulnerable and what version will have the fix for this?

Hope so CA SOI is not affected with this.

Expecting inputs and some valuable information.

Thank You!

Saju Mathew

Saju,

We are planning to upgrade Struts post 10.3.1 release which will address this vulnerability. ETA for 10.3.1 is early Q1 calendar year 2019.

Joe

Hi Joe,

I was going through the "Third-Party Software License Acknowledgements" of 10.3.1. It shows me the Struts version 2.3.36. Which is still vulnerable according to the CVE-2016-1000031.

Regards,

Saju Mathew

Thanks Matt,

Yes, I am opening new threads for SOI and UIM separately. 

Regards,

Saju Mathew