Is SSPR vulnerable to Apache Struts Vulnerabilities?

Document ID:7018709
Creation Date:15-Mar-2017
Modified Date:17-Mar-2017
- Micro Focus Products:
  Self Service Password Reset

Environment

NetIQ Self Service Password Reset 4.x for all platforms
NetIQ Self Service Password Reset 3.3.1 for all platforms

Situation

SSPR 3.3.1.x or SSPR 4.x runs on Tomcat 7 and Tomcat 8 respectively.

Is SSPR vulnerable to the newly released Apache struts CVE-2017-5638 defined at http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/?

This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request.

Is SSPR subject to other vulnerabilities in Apache struts, such as

- CVE-2016-1182 – remote attackers can conduct XSS or DoS

- CVE-2005-3745 – remote injection of web script or HTML via query string

Resolution

SSPR does not use the Apache struts library and hence is not vulnerable to Jakarta Struts CVE-2017-5638, or other struts vulnerabilities.