Mitel Product Security Advisory 17-0004

Apache Struts Remote Code Execution Vulnerability CVE-2017-5638

Advisory ID: 17-0004
Publish Date: 2017-03-20
Revision: 1.0

Summary

Apache Struts 2 is an extensible framework for building Java web applications. A security vulnerability has been identified in certain releases of Apache Struts that allows possible remote code execution when performing a file upload to the Multipart parser.

Certain Mitel products ship with the Apache Struts framework. However, the versions shipped with these products are not included in the list of those versions deemed to be vulnerable. There is therefore minimal risk that this vulnerability affects Mitel products.

The vulnerability is identified as CVE-2017-5638.

Mitel is not aware of any confirmed cases where Mitel products have been compromised.

Detailed Description

Apache Struts is an open source project of the Apache Foundation Jakarta project, allowing Java developers use J2EE to develop Web applications. Apache Struts officials have confirmed the vulnerability and classified this as high risk: https://cwiki.apache.org/confluence/display/WW/S2-045

Apache Struts Versions impacted	Recommended Minimum Apache Struts Version update
Apache Struts 2.3.5 – 2.3.31	Apache Struts 2.3.32
Apache Struts 2.5 – 2.5.10	Apache Struts 2.5.10.1

Affected Products

Although certain Mitel products use the Apache Struts framework, these products are not running versions that are implicated by this vulnerability.

While this advisory pertains to Mitel products, it does not cover 3rd party infrastructure that these applications, or products, are running on. Mitel strongly advises that any installation also consider this security vulnerability with respect to that underlying infrastructure.

Product Security bulletins are not being issued as there are no required updates.

Risk Assessment

The risk from the vulnerability is rated as High by NIST for product using the identified versions of Apache Struts. Most Mitel products do not use Apache Struts.

The few identified Mitel products that do use Apache Struts use a version not included in the identified list. The risk to Mitel product is therefore deemed low.

Mitigation / Recommended Action

There are no mitigating actions required for Mitel product.

Updates will be provided to this Advisory should the vulnerability be identified in additional Apache Struts versions that Mitel may be using in product.

External References

https://struts.apache.org/docs/s2-045.html - Includes description and developer workarounds

Related CVEs / CWEs / Advisories

This vulnerability is identified as: CVE-2017-5638. Additional information can also be found at the following web sites:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638

Why MItel

Products & Services

Partners

Customers

Resources

Industries We Serve

Business Size

Business Need

Products

Services

Partnering with Mitel

Partner Support

Partner Training

Mitel Solutions Alliance

CloudLink Developers

CLIMB

Customer Resources

Expanding Capabilities

Careers

Press Releases

Technical Document Center

Security Advisories

Blog

Resource Center

Healthcare

Financial Services

Government

Hospitality

Whether you are a big hotel in a bustling city square or a series of cottages by a peaceful lake, having flexible and secure communications and collaboration tools are at the heart of the positive experience so crucial to your business.

Education

Business Phone Systems

Collaboration and Meetings

Contact Center

Phones and Accessories

Mission Critical and Vertical Solutions

By Lifecycle Phase

Featured

Apache Struts Remote Code Execution Vulnerability CVE-2017-5638

Stay One Step Ahead

Ready to talk to sales? Contact us.