Return
-
Title
Stat 5.7.x workaround to address CVE-2017-5638 vulnerability -
Description
Stat Central Agent Issue with CVE-2017-5638 vulnerability
-
Cause
Older version of Struts causes vulnerability -
Resolution
WORKAROUND:
Solution below applies for Standalone Server (JBoss) only. For Central Agents on WebLogic, it is recommended to upgrade to Stat 5.8.x or to switch Central Agent to Standalone.
Important Note: The following solution limits Web functionality of Stat. For example, one of the limitations would be not being able to open up a csr via stat web. However user can create a csr via stat web and uses the approval functionality without any problem.1. Make sure to sign in with your supportlink account and scroll all the way down to the attachment section. Download struts.zip attachment from this solution2. Stop Central Agent3. Backup and delete the following files from <STAT_HOME>\app\server\default\libfreemarker-2.3.19.jarognl-3.0.6.jarstruts2-core-2.3.20.jarstruts2-json-plugin-2.3.20.jarstruts2-tiles-plugin-2.3.20.jartiles-api-2.0.6.jartiles-core-2.0.6.jartiles-jsp-2.0.6.jarxwork-core-2.3.20.jar4. Unzip the struts.zip into <STAT_HOME>\app\server\default\lib5. Start Central AgentSTATUS:
This issue has been addressed in Stat 5.8.0 hf-e and Stat 5.8.1 hf-c. Upgrade to 5.8.x and apply the hotfix below in order to resolve the CVE-2017-5638 vulnerability issue.
Stat 5.8.0 hf-e:
https://support.quest.com/stat/kb/227180
Stat 5.8.1 hf-c:
https://support.quest.com/stat/kb/227182
-
Attachments
-
Additional Information
The workaround applies to Stat 5.7.x version. For those who uses Stat web, it is recommended that you upgrade to 5.8.x version and apply the hotfix. Furthermore, we do not have a workaround or hotfix for 5.6.x since it is no longer a supported version as of Jan 2016