STRUTS CVE: CVE-2018-11776
Article ID: KB0080845
Updated On:
| Products | Versions |
|---|---|
| TIBCO Managed File Transfer Command Center | 7.3.0, 7.3.1, 7.3.2, 8.0.0, 8.0.1, 8.0.2, 8.1.0 |
Description
This affects the following versions:
MFT Internet Server 7.3.0 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Internet Server 7.3.1 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Internet Server 7.3.2
MFT Internet Server 8.0.0 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Internet Server 8.0.1 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Internet Server 8.0.2
MFT Internet Server 8.1.0
MFT Command Center 7.3.0 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Command Center 7.3.1 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Command Center 7.3.2
MFT Command Center 8.0.0 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Command Center 8.0.1 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Command Center 8.0.2
MFT Command Center 8.1.0
Note:
Struts is only used in the MFT Administrative interface
We strongly suggest that access to the administrative interface be within the internal network only.
The affected struts components are only used in the project in conjunction with already logged on privileged users with administrative credentials.
Customer workaround:
Download the struts 2.3.35 zip file from this URL
https://struts.apache.org/download.cgi#struts2517
Unzip it to the local machine.
Copy the following two jars to: <installation directory>/server/webapps/cfcc/WEB-INF/lib
MFT Internet Server 7.3.0 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Internet Server 7.3.1 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Internet Server 7.3.2
MFT Internet Server 8.0.0 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Internet Server 8.0.1 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Internet Server 8.0.2
MFT Internet Server 8.1.0
MFT Command Center 7.3.0 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Command Center 7.3.1 (Should be upgraded to V7.3.2 before performing this procedure)
MFT Command Center 7.3.2
MFT Command Center 8.0.0 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Command Center 8.0.1 (Should be upgraded to V8.0.2 before performing this procedure)
MFT Command Center 8.0.2
MFT Command Center 8.1.0
Note:
Struts is only used in the MFT Administrative interface
We strongly suggest that access to the administrative interface be within the internal network only.
The affected struts components are only used in the project in conjunction with already logged on privileged users with administrative credentials.
Customer workaround:
Download the struts 2.3.35 zip file from this URL
https://struts.apache.org/download.cgi#struts2517
Unzip it to the local machine.
Copy the following two jars to: <installation directory>/server/webapps/cfcc/WEB-INF/lib
struts2-core-2.3.35.jar: Delete the following two jar files from: <installation directory>/server/webapps/cfcc/WEB-INF/lib
struts2-tiles-plugin-2.3.35.jar
struts2-core-2.3.34.jar (or struts2-core-2.3.32.jar)Restart The Internet Server or Command Center
struts2-tiles-plugin-2.3.34.jar (or struts2-tiles-plugin-2.3.32jar)
Issue/Introduction
STRUTS CVE: CVE-2018-11776
Environment
All supported environments
Feedback
Yes
No
Powered by
