Impact analysis of Apache Struts 2 RCE (CVE-2017-5638) vulnerability on NNMi and NPS

Document ID:KM02752250
Creation Date:15-Mar-2017
Modified Date:21-Mar-2017
- Micro Focus Products:
  network node manager 9.20
  
  network node manager 10.00
  
  network node manager 10.10
  
  network node manager 10.20

Summary

This article aids to confirm that NNMi and the realted iSPI products are not impacted by CVE-2017-5638

Question

What is the impact scope of the Apache Struts 2 RCE (CVE-2017-5638) vulnerability on HPE Network Node Manager (NNMi) and the related iSPIs ?

Vulnerability Description : The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

For more information about the Apache Struts 2 RCE (CVE-2017-5638) vulnerability, please refer to : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

Answer

HPE Security Response team has screened all NNMi/iSPI product versions and confirmed that Apache Struts-2 is not shipped with these products.

As an effect, NNMi and the realted iSPIs are not vulnerable to CVE-2017-5638.