Mitel Product Security Advisory 18-0010

Apache Struts 2 Remote Code Execution Vulnerability

Advisory ID: 18-0010
Publish Date: 2018-10-31
Last Updated: 2018-10-31
Revision: 1.0

Summary

A vulnerability in the Apache Struts 2 component used in MiCloud Telepo could allow an unauthenticated remote attacker to execute arbitrary code. This vulnerability could allow an attacker using specifically crafted input in vulnerable pages to execute arbitrary code in the context of the application.

Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel recommends customers with affected product versions update to the latest release.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name    Product Versions Security Bulletin  Last Updated 
MiCloud Telepo 4.5 Patch 10 (4.5.13081) and earlier 18-0010-001 2018-10-31

 

Other Mitel products have been evaluated as not affected.

Risk Assessment

The risk of this vulnerability is rated as high.

Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued patches for the affected software. Customers are advised to update their software to the latest versions. Later versions of MiCloud Telepo, 4.6 or later, are not affected by these vulnerabilities.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

https://nvd.nist.gov/vuln/detail/CVE-2018-11776

https://cwiki.apache.org/confluence/display/WW/S2-057

Related CVEs / Advisories

CVE-2018-11776

Revision History

Version  Date  Description 
1.0  2018-10-31  Initial version 


Ready to talk to sales? Contact us.