(NNMi & Metrics) Support Tip: Security announcement around CVE-2017-15707 & CVE-2017-7525
Here is a quick update on the impact scope of the Apache Struts 2 vulnerabilities (CVE-2017-15707 & CVE-2017-7525) on HPE Network Node Manager (NNMi) and the related iSPIs.
Vulnerability Description : The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. In addition a vulnerability in the Jackson JSON library was discovered which is related to CVE-2017-7525 which can lead to arbitrary code execution.
For more information about the Apache Struts 2 vulnerability (CVE-2017-15707, CVE-2017-7525) vulnerability, please refer to :
CVE-2017-15707 - https://cwiki.apache.org/confluence/display/WW/S2-054
CVE-2017-7525 - https://cwiki.apache.org/confluence/display/WW/S2-055
Note : Apache Struts-2 is not shipped with any of the NNMi/iSPI product versions. As an effect, NNMi and the related iSPIs are not vulnerable to CVE-2017-15707, CVE-2017-7525.
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HPE. If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.