Did an internal penetration test using Hurrican Labs. They discovered an Apache Struts 2 Command injection vulnerability in the UI VM.
Issue
The version of Apache Struts on this server is susceptible to command injection.
Implication
This version of Apache Struts does not properly handle Object-Graph Navigation Language. Attackers can
execute malicious commands by including specially crafted Java syntax in the URL.
The remediation was to upgrade to 2.3.15.1 or later. I am running 5.8.3 so how can i tell what version of struts is installed? If it is not possible to patch or have to wait for VMware for next release what remediation steps can be taken now?
What is your specific build number of vC Ops? Also, did you upgrade the OS with your 5.8.3 upgrade as per the instructions?
5.8.3. Yes applied SLES SP3 afterwards. Does SP3 include the latest struts version?