We were notified of the following vulnerability in Struts in the version range 2.0.0 to 2.5.29 which an Apache strut2-2.5.26 version was found in our install directory for VIP Enterprise Gateway (/opt/Symantec VIP_Enterprise_Gateway/). Please advise if a fix is expected or workaround?
Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation.
Notification:
Original release date: April 12, 2022
The Apache Software Foundation has released a security advisory to address a vulnerability in Struts in the version range 2.0.0 to 2.5.29. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review Apache’s security advisory S2-062 and upgrade to the latest released version.
Link to the security advisory S2-062: https://cwiki.apache.org/confluence/display/WW/S2-062
Release : 1.0
Component : VIP Enterprise Gateway
CVE-2021-31805
EG Console:
Note:
This vulnerability is fixed in 9.10 VIP Gateway release which is available to download from the VIP manager. Here are the release notes which can be referenced for this.