CVE Identifier: CVE-2017-5638
Affected Software: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Impact of vulnerability: Possible RCE when performing file upload based on Jakarta Multipart parser
Link: https://cwiki.apache.org/confluence/display/WW/S2-045
Question:
Is Spectrum affected by this Struts vulnerability CVE-2017-5638?
Environment:
Spectrum 10.x,
Answer:
Yes, Spectrum 10.x releases are affected by this Struts vulnerability CVE-2017-5638.
Spectrum 10.2.1 will upgrade Struts to 2.3.32.Not only to address this vulnerability issue, to benefit from enhancements and fixes in 10.2.1 we strongly recommended upgrading to Spectrum 10.2.1. Spectrum 10.2.1 is a service pack release, customers not at the 10.2.0 base product yet will need to first upgrade to 10.2.0 before installing 10.2.1.
However, if upgrade is not currently an option and you are running older Spectrum version(s) which is shown in below table, please raise a Technical Support Ticket, state your Spectrum Version and request the PTF(s).
Please note that as of the day this KD article is written the PTFs are being worked and will be available in near future.
Spectrum Version
PTF patch
10.2
10.02.00.PTF_10.2.032
10.1.2
10.01.02.PTF_10.1.235
10.1.1
10.01.01.PTF_10.1.167
10.1
10.01.00.PTF_10.1.0104
10.0
10.00.00.PTF_10.0.033
KB article URL: https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1441256.html