Security scans against VCSA 7.0 prior to Update 3d report Apache Struts 2.5.22 / CVE-2020-17530
Article ID: 318214
Updated On: 02-22-2024
Products
VMware vCenter Server
Issue/Introduction
When doing a security scan against a vCenter Server Appliance 7.0 before Update 3d, Apache Struts version 2.5.22 is being reported, which is vulnerable against CVE-2020-17530.
Environment
VMware vCenter Server 7.0.x
Resolution
The scan result is correct.
vCenter Server Appliance 7.0 installations up until 7.0 Update 3c still contain the Apache Struts 2.5.22 library in /usr/lib/vmware/common-jars/struts2-core-2.5.22.jar
That being said, this library is no longer in use by any of the binaries in the vCenter Server Appliance, it is technically dead code.
This issue has been fixed in vCenter Server 7.0 Update 3d and later version, where the Apache Struts 2.5.22 library in /usr/lib/vmware/common-jars/struts2-core-2.5.22.jar has been removed.
vCenter Server Appliance 7.0 installations up until 7.0 Update 3c still contain the Apache Struts 2.5.22 library in /usr/lib/vmware/common-jars/struts2-core-2.5.22.jar
That being said, this library is no longer in use by any of the binaries in the vCenter Server Appliance, it is technically dead code.
This issue has been fixed in vCenter Server 7.0 Update 3d and later version, where the Apache Struts 2.5.22 library in /usr/lib/vmware/common-jars/struts2-core-2.5.22.jar has been removed.
Feedback
Was this article helpful?
Yes
No
Powered by
