Environment
NetIQ Self Service Password Reset 4.x for all platforms
NetIQ Self Service Password Reset 3.3.1 for all platforms
NetIQ Self Service Password Reset 3.3.1 for all platforms
Situation
SSPR 3.3.1.x or SSPR 4.x runs on Tomcat 7 and Tomcat 8 respectively.
Is SSPR vulnerable to the newly released Apache struts CVE-2017-5638 defined at http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/?
This particular vulnerability can be exploited if the attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request.
Is SSPR subject to other vulnerabilities in Apache struts, such as
- CVE-2016-1182 – remote attackers can conduct XSS or DoS
- CVE-2005-3745
– remote injection of web script or HTML via query string
Resolution
SSPR does not use the Apache struts library and hence is not vulnerable to Jakarta Struts CVE-2017-5638, or other struts vulnerabilities.