Struts Vulnerability CVE-2017-5638

Document ID : KB000013698
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CVE Identifier: CVE-2017-5638

Affected Software: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10

Impact of vulnerability: Possible RCE when performing file upload based on Jakarta Multipart parser

Link: https://cwiki.apache.org/confluence/display/WW/S2-045

Question:

Is Spectrum affected by this Struts vulnerability CVE-2017-5638?

Environment:
Spectrum 10.x,
Answer:

Yes, Spectrum 10.x releases are affected by this Struts vulnerability CVE-2017-5638.

Spectrum 10.2.1 will upgrade Struts to 2.3.32.Not only to address this vulnerability issue, to benefit from enhancements and fixes in 10.2.1 we strongly recommended upgrading to Spectrum 10.2.1. Spectrum 10.2.1 is a service pack release, customers not at the 10.2.0 base product yet will need to first upgrade to 10.2.0 before installing 10.2.1.

However, if upgrade is not currently an option and you are running older Spectrum version(s) which is shown in below table, please raise a Technical Support Ticket, state your Spectrum Version and request the PTF(s).

Please note that as of the day this KD article is written the PTFs are being worked and will be available in near future.

Spectrum Version

PTF patch

10.2

10.02.00.PTF_10.2.032

10.1.2

10.01.02.PTF_10.1.235

10.1.1

10.01.01.PTF_10.1.167

10.1

10.01.00.PTF_10.1.0104

10.0

10.00.00.PTF_10.0.033