Dear Pharos Customers/Partners
Pharos software is not susceptible to the new Apache Struts vulnerability
Recently, a new security vulnerability was discovered inside Apache Struts:
This vulnerability is serious because it allows a possible Remote Code Execution when the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace. Further, it has a CVSS v3 base score of 9.8 (out of a possible 10)
Many organizations, including Pharos customers, are urgently investigating where this tool is used and to update/repair those instances.
Pharos Software and Apache Struts
Pharos has reviewed all our software and 3rd party tools/libraries that we use and can confirm that we do not use Apache Struts in any product. This includes:
- Uniprint (including all web interfaces)
- Blueprint (including all web interfaces)
- All Omega devices (including PS60, PS150, PS200)
- All iMFP implementations across all manufacturers
- Beacon – both the desktop components and the cloud infrastructure
Pharos products are therefore not vulnerable to the Apache Struts exploit.
Pharos Security Team
Pharos Systems International