EcoStruxure IT forum
A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.
Posted: 2020-07-03 10:52 PM
This question was originally posted on DCIM Support by Steve David on 2017-09-07
Hi All, I have a customer running 7.4.1 and they received the following security vulnerability message
I've checked the Software Vulnerability Scan page and the Security Fixes page, but CVE-2017-9805 is not listed.
Struts versions 2.5- 2.5.12 are affected when used in conjunction with the REST plugin.
1. Have you reviewed your environment for exposure to this vulnerability? (yes/no)
2. Have you taken action to fully address the vulnerability? (yes/no)
3. If the vulnerability hasn't been addressed via patching, have you mitigated via other means? (yes/no)
4. Please provide details, including timing, for when the vulnerability will be fully patched or otherwise mitigated.
For more information on the issue:
https://struts.apache.org/docs/s2-052.html
https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
Can you please advise the course of action needed? Thanks
(CID:124524587)
Posted: 2020-07-03 10:52 PM
This answer was originally posted on DCIM Support by Steven Marchetti on 2017-09-07
Hi Steve,
Please disregard my previous answer. I know why we had no documentation on this and I should have remembered. We don't use Struts. I'm guessing your notification is a false positive.
There are actually a few posts related to Struts:
Steve
(CID:124524639)
Posted: 2020-07-03 10:52 PM
This answer was originally posted on DCIM Support by Steven Marchetti on 2017-09-07
Hi Steve,
Please disregard my previous answer. I know why we had no documentation on this and I should have remembered. We don't use Struts. I'm guessing your notification is a false positive.
There are actually a few posts related to Struts:
Steve
(CID:124524639)
Posted: 2020-07-03 10:52 PM
This comment was originally posted on DCIM Support by Steve David on 2017-09-07
Thanks Steve. If we are not using Apache Struts framework, how can we explain why the system scanned for that vulnerability and detected it?
(CID:124524682)
Posted: 2020-07-03 10:53 PM
This comment was originally posted on DCIM Support by Steven Marchetti on 2017-09-07
Hi Steve,
There are often false positives in scanning, perhaps it's simply checking the wrong thing, I don't know. I can only tell you that the component that would be responsible for this vulnerability does not exist in DCE. Did you ask what was used to scan the system? If it's a VM did they possibly scan the wrong system?
Steve
(CID:124524684)
Posted: 2020-07-03 10:53 PM
This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.
Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.