Apache Struts2 Vendor bulletins

Every time there is a critical vulnerability that is discovered, I often get the question “how am I impacted?”

The challenge is this, even if you have a vulnerability management toolset (Nessus, Qualys etc) you may not see the entire picture of what is impacted. There could be many reasons for this such as permissions to posture, here are a couple other reasons:

  1. You may not be able to do a credentialed scan on some Network Appliances.
  2. Firewalls may be blocking your scanner.
  3. Configuration of your scanner is lacking certain networks.

For the Apache Struts 2 vulnerability, I had a hard time coming up with a list of vendor bulletins for a few customers and thought I should share:


Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

VMWARE: https://www.vmware.com/security/advisories/VMSA-2017-0004.html

BMC: https://communities.bmc.com/blogs/application-security-news/2017/03/14/apache-struts-2-vulnerability-cve-2017-5638

Enterasys: https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2017/?q=apache&l=en_US&fs=Search&pn=1

HPE: http://h22208.www2.hpe.com/eginfolib/securityalerts/Struts/Struts-CVE-2017-5638%20.html

DELL/EMC Storage: https://emcservice.force.com/CustomersPartners/kA6j0000000L3j0CAC

Manageengine / Zoho (ServiceDeskPlus, Password Manager Pro etc): Not vulnerable uses old Apache struts version 1.3.310. (Determined by calling support)

Quest IdentityONE: Not affected (determined by calling support)


hopefully this saves someone time.