MFT Internet Server and Command Center mitigation for STRUTS CVE-2023-50164
book
Article ID: KB0107934
calendar_today
Updated On:
Products
Versions
TIBCO Managed File Transfer Command Center
All
Description
A security vulnerability CVE-2023-50164 was found in STRUTS that affects Managed File Transfer Internet Server and Command Center. Note, a valid user ID and password is required to exploit this vulnerability. This article addresses how to resolve the issue by manually updating the Struts files.
Environment
All supported environments
Resolution
Manually update STRUTS files
CVE-2023-50164 can be mitigated on MFT 8.3.x, 8.4.x and 8.5.x by upgrading to STRUTS 2.5.33 using the following procedure:
: Download the STRUTS zip file: : Full Distribution: struts-2.5.33-all.zip (65MB) [PGP] [SHA256]
Extract the STRUTS files:
: In Windows Explorer, click on downloaded file: "struts-2.5.33-all.zip"
: Navigate to this folder: struts-2.5.33\lib
: copy these two files to a temp directory:
struts2-core-2.5.33.jar
struts2-tiles-plugin-2.5.33.jar
Update the STRUTS files
On each Internet Server and Command Center instance:
: Navigate to folder: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
: Move the old STRUTS files to a directory outside of MFT: example: /tmp/strutsBackup (the exact STRUTS file version may be dependent on the MFT version and hotfix level.)
struts2-core-2.5.31.jar
struts2-tiles-plugin-2.5.31.jar
Copy these files that were extracted and saved in a temp directory:
struts2-core-2.5.33.jar
struts2-tiles-plugin-2.5.33.jar
Restart the MFT Service
: After deleting the old STRUTS files and copying in the new files, restart the MFT Service
Issue/Introduction
MFT Internet Server and Command Center mitigation for STRUTS CVE-2023-50164