Is SSPR vulnerable to Apache Struts Vulnerabilities?

  • 7018709
  • 15-Mar-2017
  • 17-Mar-2017


NetIQ Self Service Password Reset 4.x for all platforms
NetIQ Self Service Password Reset 3.3.1 for all platforms


SSPR 3.3.1.x or SSPR 4.x runs on Tomcat 7 and Tomcat 8 respectively. 

This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request.

Is SSPR subject to other vulnerabilities in Apache struts, such as 
 - CVE-2016-1182 – remote attackers can conduct XSS or DoS
 - CVE-2005-3745 – remote injection of web script or HTML via query string



SSPR does not use the Apache struts library and hence is not vulnerable to Jakarta Struts CVE-2017-5638, or other struts vulnerabilities.