Impact analysis of Apache Struts 2 RCE (CVE-2017-5638) vulnerability on NNMi and NPS

  • KM02752250
  • 15-Mar-2017
  • 21-Mar-2017


This article aids to confirm that NNMi and the realted iSPI products are not impacted by CVE-2017-5638


What is the impact scope of the Apache Struts 2 RCE (CVE-2017-5638) vulnerability on HPE Network Node Manager (NNMi) and the related iSPIs ?

Vulnerability Description : The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

For more information about the Apache Struts 2 RCE (CVE-2017-5638) vulnerability, please refer to :


HPE Security Response team has screened all NNMi/iSPI product versions and confirmed that Apache Struts-2 is not shipped with these products.

As an effect, NNMi and the realted iSPIs are not vulnerable to CVE-2017-5638.