Paul Reddy

Pharos software not susceptible to new Apache Struts vulnerability

Blog Post created by Paul Reddy on Sep 10, 2018

Dear Pharos Customers/Partners


Pharos software is not susceptible to the new Apache Struts vulnerability



Recently, a new security vulnerability was discovered inside Apache Struts:





This vulnerability is serious because it allows a possible Remote Code Execution when the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace. Further, it has a CVSS v3 base score of 9.8 (out of a possible 10)


Many organizations, including Pharos customers, are urgently investigating where this tool is used and to update/repair those instances.


Pharos Software and Apache Struts

Pharos has reviewed all our software and 3rd party tools/libraries that we use and can confirm that we do not use Apache Struts in any product. This includes:


  • Uniprint (including all web interfaces)
  • Blueprint (including all web interfaces)
  • Mobileprint
  • All Omega devices (including PS60, PS150, PS200)
  • All iMFP implementations across all manufacturers
  • Beacon – both the desktop components and the cloud infrastructure
  • Kiosks


Pharos products are therefore not vulnerable to the Apache Struts exploit.




Pharos Security Team

Pharos Systems International