Apache Releases Security Advisory for Struts 2 Vulnerabilities for Symantec VIP
search cancel

Apache Releases Security Advisory for Struts 2 Vulnerabilities for Symantec VIP


Article ID: 240743


Updated On:


VIP Service


The CVE-2023-34149 and CVE-2023-50164 vulnerabilities exist in Apache Struts version 2.0.0 to 2.5.32.

Apache struts2-2.5.26 version (VIP EG 9.9.x) and Apache struts2-2.5.30 version (VIP EG 9.10.x) exist in the install directory of the VIP Enterprise Gateway. 




VIP Enterprise Gateway on Windows or Linux





Steps to replace Struts jars – Applies to VIP Enterprise Gateway version 9.9.x or 9.10.x.

  1. Download the latest 2.5.33 struts libraries from https://dlcdn.apache.org/struts/2.5.33/struts-2.5.33-all.zip
  2. Extract struts2-core-2.5.33.jar and struts2-tiles-plugin-2.5.33.jar from this downloaded zip (Struts-2.5.33/lib location)
  3. Stop Symantec VIP Enterprise Gateway service.
  4. Navigate to the <VIPEGInstallDirectory>/VIP_Enterprise_Gateway/server/webapps directory.
  5. Keep\create a backup of vipconsole.war.
  6. Use WinRAR to open vipconsole.war 
  7. Navigate to /vipconsole/WEB_INF/lib section.
  8. Delete struts2-core-2.5.x and struts2-tiles-plugin-2.5.x and add struts2-core-2.5.33.jar and struts2-tiles-plugin-2.5.33.jar (downloaded in step 1).
  9. Close the WinRAR window. Reopen and check if the files are replaced. 
  10. Delete the contents under <VIPEGInstallDirectory>/VIP_Enterprise_Gateway/server/work
  11. Start Symantec VIP Enterprise Gateway service.


Struts2 version 2.5.33 will be included in VIP Gateway 9.11.0 (coming soon). Whenever possible, upgrade to VIP EG 9.10.3 (Windows) or 9.10.2 (Linux) before applying this fix.

Additional Information

Extracting a WAR File in Linux

How to Create a New WAR File