VMware Response to CVE-2017-9805, CVE-2017-12611, and CVE-2017-9793 in Apache Struts
Article ID: 328932
Updated On:
Products
VMware vCenter Server
Issue/Introduction
The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact CVE-2017-9805, CVE-2017-12611, and CVE-2017-9793 may have on VMware products.
Resolution
CVE-2017-9805/CVE-2017-9793
After a thorough investigation, vSECR has not been able to identify any VMware product that is affected by CVE-2017-9805 or CVE-2017-9793.
vSECR has found that VMware products shipping with Apache Struts 2.3.x or 2.5.x do not have the Struts REST plugin present on the system and this plugin is a requirement for exploitation of the issue.
The Apache Struts2 advisory on CVE-2017-9805 is found at https://struts.apache.org/docs/s2-052.html.
The Apache Struts2 advisory on CVE-2017-9793 is found at https://struts.apache.org/docs/s2-051.html.
CVE-2017-12611
After a thorough investigation, vSECR has not been able to identify any VMware product that is affected by CVE-2017-12611.
vSECR has found that VMware products shipping with Apache Struts 2.3.x or 2.5.x do not use freemarker tags with Apache Struts.
The Apache Struts2 advisory on CVE-2017-12611 is found at https://struts.apache.org/docs/s2-053.html.
Note on vulnerability scanners:
Typically vulnerability scanners will perform a simple version scan of Apache Struts to look for issues such as CVE-2017-9805, CVE-2017-12611, and CVE-2017-9793. While the version of Apache Struts in VMware products may match a vulnerable Apache Struts release, there are specific conditions which must be met (see above) for exploitation to be possible. VMware products do not meet these conditions and are therefore not vulnerable these findings can be considered false positives.
After a thorough investigation, vSECR has not been able to identify any VMware product that is affected by CVE-2017-9805 or CVE-2017-9793.
vSECR has found that VMware products shipping with Apache Struts 2.3.x or 2.5.x do not have the Struts REST plugin present on the system and this plugin is a requirement for exploitation of the issue.
The Apache Struts2 advisory on CVE-2017-9805 is found at https://struts.apache.org/docs/s2-052.html.
The Apache Struts2 advisory on CVE-2017-9793 is found at https://struts.apache.org/docs/s2-051.html.
CVE-2017-12611
After a thorough investigation, vSECR has not been able to identify any VMware product that is affected by CVE-2017-12611.
vSECR has found that VMware products shipping with Apache Struts 2.3.x or 2.5.x do not use freemarker tags with Apache Struts.
The Apache Struts2 advisory on CVE-2017-12611 is found at https://struts.apache.org/docs/s2-053.html.
Note on vulnerability scanners:
Typically vulnerability scanners will perform a simple version scan of Apache Struts to look for issues such as CVE-2017-9805, CVE-2017-12611, and CVE-2017-9793. While the version of Apache Struts in VMware products may match a vulnerable Apache Struts release, there are specific conditions which must be met (see above) for exploitation to be possible. VMware products do not meet these conditions and are therefore not vulnerable these findings can be considered false positives.
Feedback
Yes
No
Powered by
