Micro Focus Expert
Micro Focus Expert

(NNMi & Metrics) Support Tip: Security announcement around CVE-2017-15707 & CVE-2017-7525

Hello Forumites,

 Here is a quick update on the impact scope of the Apache Struts 2 vulnerabilities (CVE-2017-15707 & CVE-2017-7525) on HPE Network Node Manager (NNMi) and the related iSPIs.

Vulnerability Description : The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. In addition a vulnerability in the Jackson JSON library was discovered which is related to CVE-2017-7525 which can lead to arbitrary code execution.

For more information about the Apache Struts 2 vulnerability (CVE-2017-15707, CVE-2017-7525) vulnerability, please refer to :

  CVE-2017-15707 - https://cwiki.apache.org/confluence/display/WW/S2-054
  CVE-2017-7525 - https://cwiki.apache.org/confluence/display/WW/S2-055

Note : Apache Struts-2 is not shipped with any of the NNMi/iSPI product versions. As an effect, NNMi and the related iSPIs are not vulnerable to CVE-2017-15707, CVE-2017-7525.

MicroFocus Support
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HPE. If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.

Labels (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.