Severe security vulnerability (CVE-2017-9805)

DCIM_Support · ‎2020-07-03

This question was originally posted on DCIM Support by Steve David on 2017-09-07

Hi All, I have a customer running 7.4.1 and they received the following security vulnerability message

I've checked the Software Vulnerability Scan page and the Security Fixes page, but CVE-2017-9805 is not listed.

Struts versions 2.5- 2.5.12 are affected when used in conjunction with the REST plugin.

1.      Have you reviewed your environment for exposure to this vulnerability? (yes/no)
2.      Have you taken action to fully address the vulnerability? (yes/no)
3.      If the vulnerability hasn't been addressed via patching, have you mitigated via other means? (yes/no)
4.      Please provide details, including timing, for when the vulnerability will be fully patched or otherwise mitigated.

For more information on the issue:
https://struts.apache.org/docs/s2-052.html
https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement

Can you please advise the course of action needed? Thanks

DCIM_Support · ‎2020-07-03

This answer was originally posted on DCIM Support by Steven Marchetti on 2017-09-07

Hi Steve,

Please disregard my previous answer. I know why we had no documentation on this and I should have remembered. We don't use Struts. I'm guessing your notification is a false positive.

There are actually a few posts related to Struts:

Steve

See Answer In Context

DCIM_Support · ‎2020-07-03

This answer was originally posted on DCIM Support by Steven Marchetti on 2017-09-07

Hi Steve,

Please disregard my previous answer. I know why we had no documentation on this and I should have remembered. We don't use Struts. I'm guessing your notification is a false positive.

There are actually a few posts related to Struts:

Steve

DCIM_Support · ‎2020-07-03

This comment was originally posted on DCIM Support by Steve David on 2017-09-07

Thanks Steve. If we are not using Apache Struts framework, how can we explain why the system scanned for that vulnerability and detected it?

DCIM_Support · ‎2020-07-03

This comment was originally posted on DCIM Support by Steven Marchetti on 2017-09-07

Hi Steve,

There are often false positives in scanning, perhaps it's simply checking the wrong thing, I don't know. I can only tell you that the component that would be responsible for this vulnerability does not exist in DCE. Did you ask what was used to scan the system? If it's a VM did they possibly scan the wrong system?

Steve

DCIM_Support · ‎2020-07-03

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.