VertiGIS uses this page to provide centralized information about following vulnerabilities in Apache Struts and its impact on UT for ArcGIS product family.
- CVE-2023-34149: Apache Struts: DoS via OOM owing to not properly checking of list bounds
- CVE-2023-34396: Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms
- CVE-2023-50164: Apache Struts: File upload component had a directory traversal vulnerability
This article will be updated as new information becomes available.
Products affected
- UT Integrator
The current version (build 10.534.85) already uses a version of Apache Struts that includes fixes for the vulnerabilities. VertiGIS recommends upgrading to the current version of UT Integrator.
- UT Click Before You Dig (UT CBYD)
The current version (build 4098) already uses a version of Apache Struts that includes fixes for the vulnerabilities. VertiGIS recommends upgrading to the current version of UT Click Before You Dig.
- UT AppConnector
There is currently no version that already uses a version of Apache Struts that fixes the vulnerabilities. The release of a new version is currently not planned. However, the relevant libraries can be replaced manually to fix the vulnerability. We tested this constellation with the current version 10.1009 and did not find any issues.
- Stop Tomcat service of the UT AppConnector
- Delete the files struts2-json-plugin-2.5.20.jar and struts2-core-2.5.20.jar in the WEB-INF\lib\ directory of the UT AppConnector
- Unzip the files from the attachment in this article into the same directory
- Start Tomcat service of the UT AppConnector
Products not affected
Other products around UT for ArcGIS, including Plot and WMPS are not affected because they do not use Java or do not use the Apache Struts library.
Comments
1 comment
Please note the update of the article regarding UT AppConnector.
Please sign in to leave a comment.