Today's Internet Scare:  Apache Struts Vulnerability (CVE-2017-5638)

Document created by jerryl on Mar 9, 2017
Version 1Show Document
  • View in full screen mode

A new bug has caught the Internet by a storm.  Number CVE-2017-5638 has been assigned for it in the Common Vulnerabilities and Exposures database; a description can be found at TrendLabs Security Intelligence BlogCVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution - TrendL… 


This bug is not relevant to Turbonomic servers.  Turbonomic servers rely on Apache to handle Web requests - when you connect your browser to a Turbonomic instance, you initially connect to an Apache server.  However, Apache is designed to be extensible and many extensions - plug-ins - exist.  CVE-2017-5638 is actually in an extension known as Struts 2.


Turbonomic servers do not, and never have, used Struts 2.  The software is not even present on Turbonomic VM's.


No vulnerability to this bug exists in Turbonomic servers, and there is no need to patch them.

5 people found this helpful