What is the impact scope of the Apache Struts 2 RCE (CVE-2017-5638) vulnerability on HPE Network Node Manager (NNMi) and the related iSPIs ?
Vulnerability Description : The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 22.214.171.124 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
For more information about the Apache Struts 2 RCE (CVE-2017-5638) vulnerability, please refer to : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
HPE Security Response team has screened all NNMi/iSPI product versions and confirmed that Apache Struts-2 is not shipped with these products.
As an effect, NNMi and the realted iSPIs are not vulnerable to CVE-2017-5638.