Skip navigation
All Places > Knowledge Base & Downloads > Blog > 2018 > September
2018

Dear Pharos Customers/Partners

 

Pharos software is not susceptible to the new Apache Struts vulnerability

 

Background

Recently, a new security vulnerability was discovered inside Apache Struts:

 

            CVE-2018-11776

            https://nvd.nist.gov/vuln/detail/CVE-2018-11776

 

This vulnerability is serious because it allows a possible Remote Code Execution when the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace. Further, it has a CVSS v3 base score of 9.8 (out of a possible 10)

 

Many organizations, including Pharos customers, are urgently investigating where this tool is used and to update/repair those instances.

 

Pharos Software and Apache Struts

Pharos has reviewed all our software and 3rd party tools/libraries that we use and can confirm that we do not use Apache Struts in any product. This includes:

 

  • Uniprint (including all web interfaces)
  • Blueprint (including all web interfaces)
  • Mobileprint
  • All Omega devices (including PS60, PS150, PS200)
  • All iMFP implementations across all manufacturers
  • Beacon – both the desktop components and the cloud infrastructure
  • Kiosks

 

Pharos products are therefore not vulnerable to the Apache Struts exploit.

 

 

Regards,

Pharos Security Team

Pharos Systems International

585-939-7000

pharossecurityteam@pharos.com