Apache Struts Remote Code Execution Vulnerability
Priority: ● High
Status: Monitoring
First Published: 2023 December 11
Advisory Version: 2.4
References: CVE-2023-50164
Summary
The Apache Struts Group recently announced a vulnerability affecting certain versions of Struts, where an attacker could potentially remotely execute code via upload of a malicious file. Additional information about this vulnerability is available here.
The affected versions of Apache Struts are:
- Struts 2.0.0 - Struts 2.3.37 (End-of-Life)
- Struts 2.5.0 - Struts 2.5.32
- Struts 6.0.0 - Struts 6.3.0
This vulnerability has since been fixed in Struts v2.5.33 or greater, and Struts v6.3.0.2 or greater.
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding fixed release versions (if such information is available at the time.) Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.
NOTE: Cited product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
| Product | Notes |
| Content Products |
| Content Platform | CVE-2023-50164: Vulnerable. An affected version of Struts is in use. The HCP 9.6.3 release will upgrade the Struts version. |
| Content Platform S Series |
CVE-2023-50164: Vulnerable (see specific details below) Customers running HCPS 2.2.3 software on S10/S30 systems are vulnerable to CVE-2023-50164. Customers running HCPS 3.1.6 software on S11/S31 systems are vulnerable to CVE-2023-50164. Hotfix 1 versions of 2.2.3 and 3.1.6 HCPS software will be created to address CVE-2023-50164 |
| Content Platform Anywhere | CVE-2023-50164: Vulnerable. An affected version of Struts is in use. But, Struts is only used in the Management Console of AW which is behind a firewall. It is not used on the User portal. AW release 4.6.0 HF2 will upgrade the Struts version. |
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk as additional information pertaining to CVE-2023-50164 is released.
| Product | Notes |
| Storage Products |
| Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP G130, F/G350, VSP F/G370, VSP F/G700, VSP F/G900 | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP 5100, VSP 5100H, VSP 5500, VSP 5500H (VSP 5x00) RAID 900 |
CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H (VSP 5x00) RAID 900 |
CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform G1000, F/G1500 (VSP F/G1x00) RAID 800 |
CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Virtual Storage Platform (VSP) RAID 700 | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Unified Storage VM (HUS VM) HM700 | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Adaptable Modular Storage DF800S, DF800M, DF800H (AMS 2x00) | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Unified Storage DF850XS, DF850S, DF850MH (HUS 1x0) | CVE-2023-50164: Not vulnerable. Affected components not used |
| Content Products |
| Content Intelligence | CVE-2023-50164: Not vulnerable. HCI/HCM does not use Apache Struts |
| Content Platform S Series |
CVE-2023-50164: Customers who upgrade to HCPS 3.2.0 software on S11/S31 systems are NOT vulnerable. A scan of the packages installed as part of HCPS 3.2.0 will show version 2.5.30 of the Struts core library, but it is not used in the HCPS 3.2.0 code base. The entire UI in HCPS 3.2.0 was rewritten to use the East framework but the older Struts based code is still present in the distribution (not active). The inactive Struts based code will be removed in a future release. |
| Content Software for File | CVE-2023-50164: Not vulnerable. The OS doesn't include the JAVA framework. We do not include the Struts libraries. |
| Content Platform Gateway | CVE-2023-50164: Not vulnerable. Apache Struts not used in Gateway. |
| Data Ingestor |
CVE-2023-50164: Not vulnerable. The file storage product (HDI OS/HFSM) does not use the affected version (2.x or 6.x) of Apache Struts |
| HCP for Cloud Scale | CVE-2023-50164: Not vulnerable. Apache Struts not used in CS. |
| Content Platform Anywhere Enterprise | CVE-2023-50164: Not vulnerable. Apache Struts not used in HCP AWE. |
| Software Products |
| Hitachi Remote Ops | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| Hitachi Virtual Storage System Block (VSSB) | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Ops Center Administrator/HSA | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| Hitachi Ops Center Analyzer/Analyzer Probe/Analyzer Detail View | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| Hitachi Ops Center Protector/HDID | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| CM-REST | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| CCI/RAID Manager | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| Advanced Reporter | CVE-2023-50164: Not vulnerable. Apache Struts is not used. |
| Hitachi Automation Director (HAD) | CVE-2023-50164: Not vulnerable. Affected components not used |
| Hitachi Infrastructure Analytics Advisor (HIAA) | CVE-2023-50164: Not vulnerable. Affected components not used |
| UCP Advisor | CVE-2023-50164: Not vulnerable. Affected components not used |
Recommended Actions
Please continue to check this Security Advisory as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.