Resolved in VIP EG 9.8.3 and later. Upgrade wherever possible. If using 9.8.0 - 9.8.2, Apache Struts 2 contains vulnerabilities CVE-2017-5638, CVE-2017-9805, and CVE 2018-11776. These vulnerabilities and the solution for patching the VIP Enterprise Gateway are described in this article. The patch files described in this article can be obtained by contacting VIP Enterprise Support.
CVE-2017-5638:
A code-execution bug resides in the Apache Struts 2 Web application framework. This vulnerability affects VIP Enterprise Gateway 9.7.x and 9.8.0 versions. This issue was resolved in VIP Enterprise Gateway 9.8.3/9.8.4 (available via Live Update).
CVE-2017-9805:
VIP Enterprise Gateway is not directly vulnerable to Apache Struts vulnerability CVE-2017-9805. Struts 2.3.x is used by VIP Enterprise Gateway 9.7 and 9.8.x. However, VIP Enterprise Gateway does not use the classes that are vulnerable. Specifically, wget, curl, dig, certutil, and the REST plug-in are not used in any part of the VIP Enterprise Gateway code. A third-party library is used for URL validation and is not dependent on Struts.
CVE 2018-11776:
A remote code execution bug resides in the Apache Struts 2 web application framework. Enterprise Gateway is not directly vulnerable to this Apache Struts vulnerability though Struts 2.3.x is used by VIP Enterprise Gateway 9.7 and 9.8.2/9.8.3.
This vulnerability is linked to insufficient validation of untrusted user data in the core of the Struts framework.
The VIP Enterprise Gateway version can be located at the bottom of the VIP Enterprise Gateway console login screen:
CVE-2016-1000031
Enterprise Gateway 9.8.4 is protected from this exploit since we do input validation using OWASP librarys. Input is checked before processing the data.
These instructions are applicable for VIP Enterprise Gateway 9.8.2\9.8.3 on Windows or Linux platforms only:
Contact VIP Technical Support for the appropriate patch file for use in step 3.
Stop the VIP Enterprise Gateway Service:
Windows: Go to Start→Administrative Tools→Services. Stop the VIP Enterprise Gateway service.
Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh
Download the following file to a temporary location:
Windows : 982_windows_vipconsole.war, or 983_windows_vipconsole.war (as needed for your version)
Linux: 982_Lin_vipconsole.war, or 983_Lin_vipconsole.war (as needed for your version)
Locate and create a backup of the file vipconsole.war in the <EG_HOME>/server/webapps folder. Replace it with the downloaded file from step 3. Rename the downloaded file to vipconsole.war.
Delete the jetty folder from the <EG_HOME>/server/work directory.
example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-
Start the VIP Enterprise Gateway Service:
Windows: Go to Start→Administrative Tools→Services. Start the VIP Enterprise Gateway service.
Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh​
Rollback procedures for VIP Enterprise Gateway 9.8.2/9.8.3
Stop the VIP Enterprise Gateway Service:
Windows: Go to Start→Administrative Tools→Services. Stop the VIP Enterprise Gateway service.
Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh
Delete the jetty folder in “<EG_HOME>/server/work directory.
example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-
Restore the backed-up vipconsole.war to the <EG_HOME>/server/webapps folder.
Start the VIP Enterprise Gateway Service:
Windows: Go to Start→Administrative Tools→Services. Start the VIP Enterprise Gateway service.
Linux: Run <
VRSN_MAUTH_HOME>/server/bin/startup.sh
Symantec recommends upgrading to 9.8.3 or later, then applying the patch for that version.
These instructions are applicable only for VIP Enterprise Gateway 9.7.x on Windows or Linux platforms only.
Contact VIP Technical Support for the appropriate patch file for use in step 3.
Stop the VIP Enterprise Gateway Service.
Windows: Go to Start→Administrative Tools→Services. Stop the VIP Enterprise Gateway service.
Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh
Download the following file to a temporary location:
Windows: 97_Win_vipconsole.war
Linux: 97_Lin_vipconsole.war
Locate and create a backup of the file vipconsole.war in the <EG_HOME>/server/webapps folder. Replace it with the downloaded file from step 2. Rename the downloaded file to vipconsole.war.
Delete the jetty folder from the <EG_HOME>/server/work directory.
example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-
Start the VIP Enterprise Gateway Service:
Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh
Stop the VIP Enterprise Gateway Service:
Windows: Go to Start→Administrative Tools→Services. Stop the VIP Enterprise Gateway service.
Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh
Delete the jetty folder in “<VIPEG_INSTALLATION>/server/work directory.
example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-
Restore the backed up vipconsole.war to the <EG_HOME>/server/webapps folder.
Start the VIP Enterprise Gateway Service:
Windows: Go to Start→Administrative Tools→Services. Start the VIP Enterprise Gateway service.
Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh
Symantec recommends that you upgrade to Enterprise Gateway 9.8.3 or later.
VIP Self-Service Portal IdP Proxy (all versions)
The VIP Self-Service Portal IdP proxy is not affected by these vulnerabilities.