Struts Vulnerability Notification

A recent announcement by IBM communicated that a number of our clients may be vulnerable to a security flaw in SFG/B2Bi. This is due to the use of Apache Struts within the product. The main vulnerability seems to be within the HTTP Server adapters therefore, if you are using AS2 or other URLs you may be exposed.

The vulnerability is marked as high for Government/Business systems although there is no evidence of anything untoward within IBM/Sterling software that we are aware of at the moment.

The recommendation is to follow guidance from IBM support, register for B2B/SFG notifications or please contact us and we can have a look at your systems to determine a best course of action.

For those technically minded

Apache Struts is a widely used open-source, MVC framework for creating Java web applications. Apache Struts versions prior to 2.3.35 and 2.5.17 were originally a problem in 2018. These were addressed at the time and in B2Bi 6.0.3.2 at least, a recommended version of 2.5.18 is being used. Recommendations have changed though requiring it to be patched up to 2.5.22. The original vulnerability had the potential to execute arbitrary code on the system, it seems the new recommendation is more around a Denial of Service Attack but the older more serious risk is still showing as active up to 2.5.20

CVE-2019-0233 CVE-2019-0230

The original notification https://www.ibm.com/support/pages/node/6324787