Chat now with support
Chat with Support
Self Service Tools
Knowledge Base
My Account
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
What's New
Support Essentials
Awards and Testimonials
Getting Started
License Agreement
Support Guide

Stat Product Notification

Critical Alerts
Critical Notification

Stat (Apache Struts Vulnerability)

A critical security vulnerability with the Jakarta Multipart parser in certain versions of Apache Struts was documented on March 10, 2017. Please check here for more details about the security vulnerability.  All supported versions of Stat use an impacted version of Apache Struts.  

How does this affect me?

The Apache Struts vulnerability is exposed in Stat. This may allow remote code execution when performing file upload based on Jakarta plugin. Please note, most Stat environments are behind a firewall. The risk of exploitation will most likely be limited to people within the firewall depending on your setup.  


Customers running Stat versions 5.8.0 and 5.8.1 can be updated with a hotfix. Please see the related Knowledge Base articles for further details on the hotfixes. Customers running Stat version 5.7.0 - 5.7.4 are encouraged to upgrade to a 5.8.x version and apply the hotfix.

 Stat 5.8.1 hf-c to address CVE-2017-5638 vulnerability

 Stat 5.8.0 hf-e for CVE-2017-5638 vulnerability

If you are unable to upgrade your 5.7.x version, there is an option that will allow you to eliminate the security restriction but will limit the usability of some UI functions in the Web Client. Further details are available in the related Knowledge Base article. 

Stat 5.7.x workaround to address CVE-2017-5638 vulnerability


The next release of the software will include an updated version of Apache Struts. Notifications will be sent out regarding new releases when available.