VIP Enterprise Gateway fix for the Struts 2 vulnerabilities CVE-2017-5638, CVE-2017-9805, CVE 2018-11776 and CVE-2016-1000031

book

Article ID: 164807

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

Resolved in VIP EG 9.8.3 and later. Upgrade wherever possible. If using 9.8.0 - 9.8.2, Apache Struts 2 contains vulnerabilities CVE-2017-5638, CVE-2017-9805, and CVE 2018-11776. These vulnerabilities and the solution for patching the VIP Enterprise Gateway are described in this article. The patch files described in this article can be obtained by contacting VIP Enterprise Support.

CVE-2017-5638:

A code-execution bug resides in the Apache Struts 2 Web application framework. This vulnerability affects VIP Enterprise Gateway  9.7.x and 9.8.0 versions. This issue was resolved in VIP Enterprise Gateway 9.8.3/9.8.4 (available via Live Update).

CVE-2017-9805:

VIP Enterprise Gateway is not directly vulnerable to Apache Struts vulnerability CVE-2017-9805. Struts 2.3.x is used by VIP Enterprise Gateway 9.7 and 9.8.x. However, VIP Enterprise Gateway does not use the classes that are vulnerable. Specifically, wget, curl, dig, certutil, and the REST plug-in are not used in any part of the VIP Enterprise Gateway code. A third-party library is used for URL validation and is not dependent on Struts.

CVE 2018-11776:

A remote code execution bug resides in the Apache Struts 2 web application framework. Enterprise Gateway is not directly vulnerable to this Apache Struts vulnerability though Struts 2.3.x is used by VIP Enterprise Gateway 9.7 and 9.8.2/9.8.3.

This vulnerability is linked to insufficient validation of untrusted user data in the core of the Struts framework.

 

The VIP Enterprise Gateway version can be located at the bottom of the VIP Enterprise Gateway console login screen:

CVE-2016-1000031

Enterprise Gateway 9.8.4 is protected from this exploit since we do input validation using OWASP librarys. Input is checked before processing the data.


Cause

 

Environment


Resolution

VIP Enterprise Gateway 9.8.2/9.8.3

These instructions are applicable for VIP Enterprise Gateway 9.8.2\9.8.3 on Windows or Linux platforms only:

  1. Contact VIP Technical Support for the appropriate patch file for use in step 3.

  2. Stop the VIP Enterprise Gateway Service:

    • Windows: Go to StartAdministrative ToolsServices. Stop the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh

  3. Download the following file to a temporary location:
    Windows : 982_windows_vipconsole.war, or 983_windows_vipconsole.war (as needed for your version)
    Linux: 982_Lin_vipconsole.war, or 983_Lin_vipconsole.war (as needed for your version)

  4. Locate and create a backup of the file vipconsole.war in the <EG_HOME>/server/webapps folder. Replace it with the downloaded file from step 3. Rename the downloaded file to vipconsole.war.

  5. Delete the jetty folder from the <EG_HOME>/server/work directory.
    example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-

  6. Start the VIP Enterprise Gateway Service:

    • Windows: Go to StartAdministrative ToolsServices. Start the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh​

Rollback procedures for VIP Enterprise Gateway 9.8.2/9.8.3

  1. Stop the VIP Enterprise Gateway Service:

    • Windows: Go to StartAdministrative ToolsServices. Stop the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh

  2. Delete the jetty folder in “<EG_HOME>/server/work directory.
    example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any- 

  3. Restore the backed-up vipconsole.war  to the <EG_HOME>/server/webapps folder.

  4. Start the VIP Enterprise Gateway Service:

    • Windows: Go to StartAdministrative ToolsServices. Start the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh

VIP Enterprise Gateway 9.8.0/9.8.1

Symantec recommends upgrading to 9.8.3 or later, then applying the patch for that version. 

VIP Enterprise Gateway 9.7

These instructions are applicable only for VIP Enterprise Gateway 9.7.x on Windows or Linux platforms only.

  1. Contact VIP Technical Support for the appropriate patch file for use in step 3.

  2. Stop the VIP Enterprise Gateway Service.

    • Windows: Go to StartAdministrative ToolsServices. Stop the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh

  3. Download the following file to a temporary location:
    Windows:  97_Win_vipconsole.war 
    Linux:  97_Lin_vipconsole.war 

  4. Locate and create a backup of the file vipconsole.war in the <EG_HOME>/server/webapps folder. Replace it with the downloaded file from step 2. Rename the downloaded file to vipconsole.war.

  5. Delete the jetty folder from the <EG_HOME>/server/work directory.
    example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-

  6. Start the VIP Enterprise Gateway Service:

  • Windows: Go to StartAdministrative ToolsServices. Start the VIP Enterprise Gateway service.
  • Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh 

Note: After applying the patch, if you are upgrading the Enterprise Gateway version later, then you must apply the patch according to the latest version recommendation.

Rollback procedures for VIP Enterprise Gateway 9.7

  1. Stop the VIP Enterprise Gateway Service:

    • Windows: Go to StartAdministrative ToolsServices. Stop the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/shutdown.sh

  2. Delete the jetty folder in “<VIPEG_INSTALLATION>/server/work directory.
    example: <EG_HOME>/server/work/ jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any- 

  3. Restore the backed up vipconsole.war  to the <EG_HOME>/server/webapps folder.

  4. Start the VIP Enterprise Gateway Service:

    • Windows: Go to StartAdministrative ToolsServices. Start the VIP Enterprise Gateway service.

    • Linux: Run <VRSN_MAUTH_HOME>/server/bin/startup.sh

VIP Enterprise Gateway 9.6.1 and earlier

Symantec recommends that you upgrade to Enterprise Gateway 9.8.3 or later.

VIP Self-Service Portal IdP Proxy (all versions)

The VIP Self-Service Portal IdP proxy is not affected by these vulnerabilities.

 

Attachments

vipconsole_97_win.war get_app
vipconsole_97_lnx.war get_app
983_Win_vipconsole.war get_app
983_Lin_vipconsole.war get_app
982_Win_vipconsole.war get_app
982_Lin_vipconsole.war get_app