Mitel Product Security Advisory 17-0004

Apache Struts Remote Code Execution Vulnerability CVE-2017-5638

Advisory ID: 17-0004
Publish Date: 2017-03-20
Revision: 1.0

Summary

Apache Struts 2 is an extensible framework for building Java web applications. A security vulnerability has been identified in certain releases of Apache Struts that allows possible remote code execution when performing a file upload to the Multipart parser.

Certain Mitel products ship with the Apache Struts framework. However, the versions shipped with these products are not included in the list of those versions deemed to be vulnerable. There is therefore minimal risk that this vulnerability affects Mitel products.

The vulnerability is identified as CVE-2017-5638.

Mitel is not aware of any confirmed cases where Mitel products have been compromised.

Detailed Description

Apache Struts is an open source project of the Apache Foundation Jakarta project, allowing Java developers use J2EE to develop Web applications. Apache Struts officials have confirmed the vulnerability and classified this as high risk: https://cwiki.apache.org/confluence/display/WW/S2-045

Particular versions of Apache Struts that have been identified as being vulnerable:

Apache Struts Versions impacted Recommended Minimum Apache Struts Version update
Apache Struts 2.3.5 – 2.3.31 Apache Struts 2.3.32
Apache Struts 2.5 – 2.5.10 Apache Struts 2.5.10.1

Affected Products

Although certain Mitel products use the Apache Struts framework, these products are not running versions that are implicated by this vulnerability.

While this advisory pertains to Mitel products, it does not cover 3rd party infrastructure that these applications, or products, are running on. Mitel strongly advises that any installation also consider this security vulnerability with respect to that underlying infrastructure.

Product Security bulletins are not being issued as there are no required updates.

Risk Assessment

The risk from the vulnerability is rated as High by NIST for product using the identified versions of Apache Struts. Most Mitel products do not use Apache Struts.

The few identified Mitel products that do use Apache Struts use a version not included in the identified list. The risk to Mitel product is therefore deemed low.

Mitigation / Recommended Action

There are no mitigating actions required for Mitel product.

Updates will be provided to this Advisory should the vulnerability be identified in additional Apache Struts versions that Mitel may be using in product.

External References

https://struts.apache.org/docs/s2-045.html - Includes description and developer workarounds

Related CVEs / CWEs / Advisories

This vulnerability is identified as: CVE-2017-5638. Additional information can also be found at the following web sites:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638