Are the DX NetOps components vulnerable to CVE-2023-50164?
DX NetOps Portal / Data Aggregator / Data Collector do not use Struts and therefore are not vulnerable.
DX NetOps Network Flow Analysis does not use Struts and therefore are not vulnerable.
DX NetOps VNA does not use struts and is not vulnerable.
DX NetOps Spectrum releases prior to 23.3.5 use Struts version 2.5.31 and thus is vulnerable.
23.3.5 will include the fix for this vulnerability and Broadcom highly suggests customers upgrade to this release when available (January 2024).
Affected versions of DX NetOps Spectrum have a third party library struts2-core*.jar which is vulnerable to CVE-2023-50164. The file upload component has a directory traversal vulnerability. An attacker can manipulate file upload parameters to enable path traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Platform(s): Windows and Linux.
Affected Version(s): DX NetOps Spectrum 21.2.x, 22.2.x and 23.3.1, 23.3.2, 23.3.3 and 23.3.4.
Note: DX NetOps 21.2.x is End of Service as of December 31, 2023. Broadcom advises all customers to upgrade to the latest GA release.
Impact: The way Spectrum uses struts and the type of access required leaves very little chance of exposure. In order for this vulnerability to be exploited an attacker needs privileged access and to leverage the upload facility of struts which isn't done by Spectrum. However, Broadcom understands that a resolution is preferred.
Solution: Apache struts addressed this vulnerability in their latest release 2.5.33. DX NetOps users can utilize the updated version of Struts through any of the following methods depending on the installed NetOps release version
Solution for DX NetOps release 22.2.6 and above:
Upgrade to DX NetOps Spectrum release 23.3.5 which is tentatively scheduled to be released in January 2024. Please follow the upgrade instructions that are in the patch documentation.
For release 23.3.1 through 23.3.4 or 22.2.6 through 22.2.12, Broadcom has create a Struts Upgrade Patch. Please Contact Broadcom Support to obtain the Spectrum Struts Upgrade Patch.
Solution for DX NetOps releases 22.2.1 through 22.2.5:
Please open a case with the Broadcom NetOps Support team and an engineer will assist you with upgrading Struts.