March 31, 2017

The TIBCO Security team has evaluated the Apache Struts Vulnerability (CVE-2017-5638, for  Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10) and any impacts to TIBCO Products. See below findings and recommendations. 
-------
TIBCO Products not listed do not ship with the Struts library versions identified in the vulnerability announcement.
-------
TIBCO Managed File Transfer (MFT) Command Center, TIBCO Managed File Transfer (MFT)  Internet Server (versions 7.3.0 & 7.3.1 up to HF-003, 8.0.0, 8.0.1 up to HF-003): 

These products ship with, but do not use the vulnerable parts of the Struts library. If still concerned, customer can safely upgrade to Struts version 2.3.32. To apply this upgrade in a known tested environment, customers must first apply Service Pack 7.3.1 or 8.0.1, then apply the latest available hot-fixes. After that, replace the relevant struts JARS as follows:

• Download and expand an appropriate version of Struts.
• Find the <MFT-Install>/server/webapps/cfcc/WEB-INF/lib folder
• Replace struts2-core-2.3.30.jar with struts2-core-2.3.32.jar
• Replace struts2-tiles-plugin-2.3.30.jar with struts2-tiles-plugin-2.3.32.jar
• Restart MFT

Disclaimer:  While TIBCO provides this information regarding exposure to the known vulnerability in good faith and makes reasonable efforts to supply correct, current and high quality guidance, TIBCO is releasing the results of our findings  solely on an ‘as is’ basis without any express or implied warranties, undertakings or guarantees.

Apache Struts Vulnerability (CVE-2017-5638) and Impact to TIBCO Products