March 31, 2017

The TIBCO Security team has evaluated the Apache Struts Vulnerability (CVE-2017-5638, for  Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10) and any impacts to TIBCO Products. See below findings and recommendations. 
-------
TIBCO Products not listed do not ship with the Struts library versions identified in the vulnerability announcement.
-------
TIBCO Managed File Transfer (MFT) Command Center, TIBCO Managed File Transfer (MFT)  Internet Server (versions 7.3.0 & 7.3.1 up to HF-003, 8.0.0, 8.0.1 up to HF-003): 

These products ship with, but do not use the vulnerable parts of the Struts library. If still concerned, customer can safely upgrade to Struts version 2.3.32. To apply this upgrade in a known tested environment, customers must first apply Service Pack 7.3.1 or 8.0.1, then apply the latest available hot-fixes. After that, replace the relevant struts JARS as follows:

• Download and expand an appropriate version of Struts.
• Find the <MFT-Install>/server/webapps/cfcc/WEB-INF/lib folder
• Replace struts2-core-2.3.30.jar with struts2-core-2.3.32.jar
• Replace struts2-tiles-plugin-2.3.30.jar with struts2-tiles-plugin-2.3.32.jar
• Restart MFT