MFT Internet Server and Command Center mitigation for STRUTS CVE-2023-50164

MFT Internet Server and Command Center mitigation for STRUTS CVE-2023-50164

book

Article ID: KB0107934

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Command Center All

Description

A security vulnerability CVE-2023-50164 was found in STRUTS that affects Managed File Transfer Internet Server and Command Center.
Note, a valid user ID and password is required to exploit this vulnerability. 
This article addresses how to resolve the issue by manually updating the Struts files.

Environment

All supported environments

Resolution

Manually update STRUTS files
CVE-2023-50164 can be mitigated on MFT 8.3.x, 8.4.x and 8.5.x by upgrading to STRUTS 2.5.33 using the following procedure:
 
Download the STRUTS files:
: Navigate down until you see "Struts 2.5.33"
: Download the STRUTS zip file: : Full Distribution: struts-2.5.33-all.zip (65MB) [PGP] [SHA256]
 
 
Extract the STRUTS files:
: In Windows Explorer, click on downloaded file: "struts-2.5.33-all.zip"
: Navigate to this folder: struts-2.5.33\lib
: copy these two files to a temp directory:
struts2-core-2.5.33.jar
struts2-tiles-plugin-2.5.33.jar
 
Update the STRUTS files
On each Internet Server and Command Center instance:
: Navigate to folder: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
: Move the old STRUTS files to a directory outside of MFT: example: /tmp/strutsBackup (the exact STRUTS file version may be dependent on the MFT version and hotfix level.)
  struts2-core-2.5.31.jar
  struts2-tiles-plugin-2.5.31.jar
 
Copy these files that were extracted and saved in a temp directory:
struts2-core-2.5.33.jar
struts2-tiles-plugin-2.5.33.jar
 
Restart the MFT Service
: After deleting the old STRUTS files and copying in the new files, restart the MFT Service

Issue/Introduction

MFT Internet Server and Command Center mitigation for STRUTS CVE-2023-50164