Reference Name: Apache Struts 2 Remote Code Execution Vulnerability CVE-2017-9791
Status: No action by customers is required
- 7-18-2017 – Assessment completed
Customer deployments of SAS® are not vulnerable to CVE-2017-9791.
The Struts 1 plugin in Apache Struts 2.3 x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
July 18, 2017
The custom version of Apache Struts managed and delivered by SAS is not vulnerable to this exploit. As an added precaution, customers who have installed SAS® Grid Manager might want to remove the flagged Apache Struts libraries that are included with the Platform Web Services (PWS) component. The product does not use affected functionality and is not vulnerable to the potential exploitation. Please contact SAS Technical Support for further details.