The CVE-2023-34149 and CVE-2023-50164 vulnerabilities exist in Apache Struts version 2.0.0 to 2.5.32.

Apache struts2-2.5.26 version (VIP EG 9.9.x) and Apache struts2-2.5.30 version (VIP EG 9.10.x) exist in the install directory of the VIP Enterprise Gateway. 

VIP Enterprise Gateway on Windows or Linux

CVE-2023-34149

CVE-2023-50164

Steps to replace Struts jars – Applies to VIP Enterprise Gateway version 9.9.x or 9.10.x.

1. Download the latest 2.5.33 struts libraries from https://dlcdn.apache.org/struts/2.5.33/struts-2.5.33-all.zip
2. Extract struts2-core-2.5.33.jar and struts2-tiles-plugin-2.5.33.jar from this downloaded zip (Struts-2.5.33/lib location)
3. Stop Symantec VIP Enterprise Gateway service.
4. Navigate to the <VIPEGInstallDirectory>/VIP_Enterprise_Gateway/server/webapps directory.
5. Keep\create a backup of vipconsole.war.
6. Use WinRAR to open vipconsole.war 
7. Navigate to /vipconsole/WEB_INF/lib section.
8. Delete struts2-core-2.5.x and struts2-tiles-plugin-2.5.x and add struts2-core-2.5.33.jar and struts2-tiles-plugin-2.5.33.jar (downloaded in step 1).
9. Close the WinRAR window. Reopen and check if the files are replaced. 
10. Delete the contents under <VIPEGInstallDirectory>/VIP_Enterprise_Gateway/server/work
11. Start Symantec VIP Enterprise Gateway service.

Note: Struts2 version 2.5.33 is included in VIP Gateway 9.11.0

If you wish to stay on a lower version of VIP Gateway at this time, then whenever possible, upgrade to VIP EG 9.10.3 (Windows) or 9.10.2 (Linux) before applying this fix.

Extracting a WAR File in Linux

https://www.win-rar.com