Quest has been named as an ASP "Ten Best Web Support Sites" award winner. Learn more.

Stat Product Notification

Self Service Tools
Knowledge Base
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Support Essentials
Awards and Testimonials
Getting Started
License Agreement
Support Guide
Return
Critical
Critical Notification

Stat (Apache Struts Vulnerability)

A critical security vulnerability with the Jakarta Multipart parser in certain versions of Apache Struts was documented on March 10, 2017. Please check here for more details about the security vulnerability.  All supported versions of Stat use an impacted version of Apache Struts.  

How does this affect me?

The Apache Struts vulnerability is exposed in Stat. This may allow remote code execution when performing file upload based on Jakarta plugin. Please note, most Stat environments are behind a firewall. The risk of exploitation will most likely be limited to people within the firewall depending on your setup.  

Workaround

Customers running Stat versions 5.8.0 and 5.8.1 can be updated with a hotfix. Please see the related Knowledge Base articles for further details on the hotfixes. Customers running Stat version 5.7.0 - 5.7.4 are encouraged to upgrade to a 5.8.x version and apply the hotfix.

 Stat 5.8.1 hf-c to address CVE-2017-5638 vulnerability

 Stat 5.8.0 hf-e for CVE-2017-5638 vulnerability

If you are unable to upgrade your 5.7.x version, there is an option that will allow you to eliminate the security restriction but will limit the usability of some UI functions in the Web Client. Further details are available in the related Knowledge Base article. 

Stat 5.7.x workaround to address CVE-2017-5638 vulnerability

Status

The next release of the software will include an updated version of Apache Struts. Notifications will be sent out regarding new releases when available.