SAS Statement Regarding Apache Struts 2 Remote Code Execution Vulnerability CVE-2017-5638
Reference Name: Apache Struts 2 Remote Code Execution Vulnerability CVE-2017-5638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
Severity: Informational
Status: No action by customers is required
History
3-15-2017 – Assessment completed
Impact
Customer deployments of SAS are not vulnerable to CVE-2017-5638.
Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
Solution
March 15, 2017
The custom version of Apache Struts managed and delivered by SAS is not vulnerable to this exploit.
As an added precaution, customers of SAS Grid Manager may want to remove the flagged Apache Struts libraries that are included with the Platform Web Services (PWS) component. The product does not use the affected functionality and is not vulnerable to the potential exploitation. Please contact SAS Technical Support for further details.
Security Bulletins
View other security bulletins, published as part of our formal PSIRT process.
Technical Support
Get world-class technical support via our support track system.
