vCOPs UI VM Apache struts vulnerability

chandlerbing · ‎10-21-2014

Did an internal penetration test using Hurrican Labs. They discovered an Apache Struts 2 Command injection vulnerability in the UI VM.

Issue

The version of Apache Struts on this server is susceptible to command injection.

Implication

This version of Apache Struts does not properly handle Object-Graph Navigation Language. Attackers can

execute malicious commands by including specially crafted Java syntax in the URL.

The remediation was to upgrade to 2.3.15.1 or later. I am running 5.8.3 so how can i tell what version of struts is installed? If it is not possible to patch or have to wait for VMware for next release what remediation steps can be taken now?

mark_j · ‎10-21-2014

What is your specific build number of vC Ops? Also, did you upgrade the OS with your 5.8.3 upgrade as per the instructions?

If you find this or any other answer useful please mark the answer as correct or helpful.

chandlerbing · ‎10-29-2014

5.8.3. Yes applied SLES SP3 afterwards. Does SP3 include the latest struts version?

All

vCOPs UI VM Apache struts vulnerability