A critical security vulnerability with the Jakarta Multipart parser in certain versions of Apache Struts was documented on March 10, 2017. Please check here for more details about the security vulnerability. All supported versions of Stat use an impacted version of Apache Struts.
How does this affect me?
The Apache Struts vulnerability is exposed in Stat. This may allow remote code execution when performing file upload based on Jakarta plugin. Please note, most Stat environments are behind a firewall. The risk of exploitation will most likely be limited to people within the firewall depending on your setup.
Workaround
Customers running Stat versions 5.8.0 and 5.8.1 can be updated with a hotfix. Please see the related Knowledge Base articles for further details on the hotfixes. Customers running Stat version 5.7.0 - 5.7.4 are encouraged to upgrade to a 5.8.x version and apply the hotfix.
Stat 5.8.1 hf-c to address CVE-2017-5638 vulnerability
Stat 5.8.0 hf-e for CVE-2017-5638 vulnerability
If you are unable to upgrade your 5.7.x version, there is an option that will allow you to eliminate the security restriction but will limit the usability of some UI functions in the Web Client. Further details are available in the related Knowledge Base article.
Stat 5.7.x workaround to address CVE-2017-5638 vulnerability
Status
The next release of the software will include an updated version of Apache Struts. Notifications will be sent out regarding new releases when available.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
