CVE-2017-5638 Apache Struts Vulnerability in OneSpan Products

CVE-2017-5638 Apache Struts Vulnerability in OneSpan Products

Advisory ID vasco-sa-20170313-struts

Revision number 1.2

Date of Release March 14, 2017 08:00 AM UTC+1

Last update March 17, 2017 12:00 PM UTC+1

Summary

On Monday March 06, 2017 the Apache Struts 2 project issued a security bulletin about a Remote Code Execution vulnerability that exists in Apache Struts 2. 

This security advisory contains information on the products that have been affected by the vulnerability and contains information on the availability of patches.

Impacted Products

Following products are affected by the CVE-2017-5638 vulnerability: 

  • IDENTIKEY Authentication Server 3.5 and later 
  • IDENTIKEY Appliance 3.5.7.1 and later.

Affected Products

  • IDENTIKEY Appliance
  • IDENTIKEY Authentication Server
  • IDENTIKEY Virtual Appliance

Description

The following vulnerability description is extracted from the NIST National Vulnerability Database: 

“The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.” 

In scope of IDENTIKEY Authentication Server and IDENTIKEY Appliance, the vulnerability is present in the web administration component. The vulnerability can only be exploited by a malicious user if this user has access to web resources of the web administration component, such as for example the login page of the web administration component.

Severity Score

The table below denotes the CVSS 2.0 vulnerability score of the CVE-2017-5638 vulnerability on OneSpan's products.

CVSS Base Score: 6.8 (medium)
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial

Partial

Partial

 

Product Fixes

OneSpan has released patches for the following products: 

  • IDENTIKEY Authentication Server 3.11 / IDENTIKEY Authentication Server 3.11 R2 
  • IDENTIKEY Authentication Server 3.10 / IDENTIKEY Authentication Server 3.10 R2
  • IDENTIKEY Authentication Server 3.9 
  • IDENTIKEY Authentication Server 3.8 
  • IDENTIKEY Appliance 3.10.11.x 
  • IDENTIKEY Appliance 3.11.12.x 

In order to limit the exploitability of the vulnerability, customers should limit the access to the IDENTIKEY web administration component as much as possible.

Location

Customers with a maintenance contract can obtain fixed product releases from the Customer Portal. Customers without a maintenance contract should contact their local sales representative.

Reference

https://cwiki.apache.org/confluence/display/WW/S2-045

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638

Legal Disclaimer

WHILE EVERY REASONABLE EFFORT IS MADE TO PROCESS AND PROVIDE INFORMATION THAT IS ACCURATE, ALL THE CONTENT AND INFORMATION IN THIS DOCUMENT ARE PROVIDED "AS IS" AND “AS AVAILABLE,” WITHOUT ANY REPRESENTATION OR ENDORSEMENT AND WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OF CURRENCY, COMPLETENESS OR SUITABILITY, OR ANY WARRANTY INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE OR PURPOSE. YOUR USE OF THIS DOCUMENT, ANY INFORMATION PROVIDED, OR OF MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK. VASCO RESERVES THE RIGHT TO CHANGE OR UPDATE THE INFORMATION IN THIS DOCUMENT AT ANY TIME AND AT ITS DISCRETION, AS AND WHEN NEW OR ADDITIONAL INFORMATION BECOMES AVAILABLE. 

Copyright © 2017 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.

🖨 cve-2017-5638-apache-struts-vulnerability