Reference Name: Apache Struts 2 Vulnerabilities
https://struts.apache.org/announce.html#a20170907
https://struts.apache.org/docs/s2-050.html
https://struts.apache.org/docs/s2-051.html
https://struts.apache.org/docs/s2-052.html
https://struts.apache.org/docs/s2-053.html
https://struts.apache.org/docs/s2-054.html
https://struts.apache.org/docs/s2-055.html
Severity: Informational
Status: No action by customers is required
History
- 9-12-2017 – Assessment completed
Impact
Customer deployments of SAS® are not vulnerable to CVE-2017-9804, CVE-2017-9793, CVE-2017-9805, or CVE-2017-12611.
Description
Struts 2 versions 2.3.7-2.3.33 and 2.5-2.5.12 might be vulnerable to Denial of Service and Remote Code Execution attacks.
Solution
September 12, 2017
The custom version of Apache Struts that is managed and delivered by SAS is not vulnerable to this exploit.
As an added precaution, customers who have installed SAS® Grid Manager might want to remove the flagged Apache Struts libraries that are included with the Platform Web Services (PWS) component. The product does not use affected functionality and is not vulnerable to the potential exploitation. Please contact SAS Technical Support for further details.