Mitel Product Security Advisory 17-0004
Apache Struts Remote Code Execution Vulnerability CVE-2017-5638
Advisory ID: 17-0004
Publish Date: 2017-03-20
Apache Struts 2 is an extensible framework for building Java web applications. A security vulnerability has been identified in certain releases of Apache Struts that allows possible remote code execution when performing a file upload to the Multipart parser.
Certain Mitel products ship with the Apache Struts framework. However, the versions shipped with these products are not included in the list of those versions deemed to be vulnerable. There is therefore minimal risk that this vulnerability affects Mitel products.
The vulnerability is identified as CVE-2017-5638.
Mitel is not aware of any confirmed cases where Mitel products have been compromised.
Apache Struts is an open source project of the Apache Foundation Jakarta project, allowing Java developers use J2EE to develop Web applications. Apache Struts officials have confirmed the vulnerability and classified this as high risk: https://cwiki.apache.org/confluence/display/WW/S2-045
Particular versions of Apache Struts that have been identified as being vulnerable:
|Apache Struts Versions impacted||Recommended Minimum Apache Struts Version update|
|Apache Struts 2.3.5 – 2.3.31||Apache Struts 2.3.32|
|Apache Struts 2.5 – 2.5.10||Apache Struts 22.214.171.124|
Although certain Mitel products use the Apache Struts framework, these products are not running versions that are implicated by this vulnerability.
While this advisory pertains to Mitel products, it does not cover 3rd party infrastructure that these applications, or products, are running on. Mitel strongly advises that any installation also consider this security vulnerability with respect to that underlying infrastructure.
Product Security bulletins are not being issued as there are no required updates.
The risk from the vulnerability is rated as High by NIST for product using the identified versions of Apache Struts. Most Mitel products do not use Apache Struts.
The few identified Mitel products that do use Apache Struts use a version not included in the identified list. The risk to Mitel product is therefore deemed low.
Mitigation / Recommended Action
There are no mitigating actions required for Mitel product.
Updates will be provided to this Advisory should the vulnerability be identified in additional Apache Struts versions that Mitel may be using in product.
https://struts.apache.org/docs/s2-045.html - Includes description and developer workarounds
Related CVEs / CWEs / Advisories
This vulnerability is identified as: CVE-2017-5638. Additional information can also be found at the following web sites: