Skip navigation
All Places > Knowledge Base & Downloads > Blog > Authors Paul Reddy

Knowledge Base & Downloads

3 Posts authored by: Paul Reddy

Dear Pharos Customers/Partners

 

Pharos software is not susceptible to the new Apache Struts vulnerability

 

Background

Recently, a new security vulnerability was discovered inside Apache Struts:

 

            CVE-2018-11776

            https://nvd.nist.gov/vuln/detail/CVE-2018-11776

 

This vulnerability is serious because it allows a possible Remote Code Execution when the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace. Further, it has a CVSS v3 base score of 9.8 (out of a possible 10)

 

Many organizations, including Pharos customers, are urgently investigating where this tool is used and to update/repair those instances.

 

Pharos Software and Apache Struts

Pharos has reviewed all our software and 3rd party tools/libraries that we use and can confirm that we do not use Apache Struts in any product. This includes:

 

  • Uniprint (including all web interfaces)
  • Blueprint (including all web interfaces)
  • Mobileprint
  • All Omega devices (including PS60, PS150, PS200)
  • All iMFP implementations across all manufacturers
  • Beacon – both the desktop components and the cloud infrastructure
  • Kiosks

 

Pharos products are therefore not vulnerable to the Apache Struts exploit.

 

 

Regards,

Pharos Security Team

Pharos Systems International

585-939-7000

pharossecurityteam@pharos.com

Background

Recently, a security vulnerability was discovered inside Apache Struts:

            CVE-2018-1327

            https://nvd.nist.gov/vuln/detail/CVE-2018-1327

 

This vulnerability is reasonably serious because it allows a DoS attack when using a malicious request.

 

A security vulnerability was also discovered inside Jackson-databind:

            CVE-2018-7489

            https://nvd.nist.gov/vuln/detail/CVE-2018-7489

 

This vulnerability is serious because it allows unauthenticated remote code execution and is easy to exploit.

 

Many organizations, including Pharos customers, are urgently investigating where these tools are used and to update/repair those instances.

 

Pharos Software, Apache Struts and Jackson-databind

Pharos has reviewed all our software and 3rdparty tools/libraries that we use and can confirm that we do not use Apache Struts nor Jackson-databind in any product. This includes:

 

  • Uniprint (including all web interfaces)
  • Blueprint (including all web interfaces)
  • Mobileprint
  • All Omega devices (including PS60, PS150, PS200)
  • All iMFP implementations across all manufacturers
  • Beacon – both the desktop components and the cloud infrastructure
  • Kiosks

 

Pharos products are therefore not vulnerable to either the Apache Struts exploit nor the Jackson-databind exploit.

 

Regards,

Pharos Security Team

Pharos Systems International

585-939-7000

pharossecurityteam@pharos.com

Background

Recently a pair of vulnerabilities have been disclosed that affect most computers around the world. These vulnerabilities have been named Meltdown and Spectre.

 

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any physical, kernel or other process's mapped memory, regardless of whether or not it should be able to do so. (From Wikipedia).

 

Meltdown's CVE ID is CVE-2017-5754.

 

Spectre is a vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs' mapped memory. (From Wikipedia).

 

Spectre's CVE IDs are CVE-2017-5753 and CVE-2017-5715

 

Pharos Cloud Services

Pharos cloud services reside inside Amazon Web Services (AWS) and are protected from direct access by firewalls. These services do run on computers whose processes are affected by Spectre and Meltdown. AWS has patched all of their systems and all Beacon Cloud Platform operating systems have also been patched.

 

Pharos Omega Devices

Pharos Omega devices are secured devices and are not open to third party software execution. While Omegas are currently susceptible to both vulnerabilities, Pharos do not believe that this can be exploited at this time.

 

Pharos iMFP

Pharos iMFP software runs on OEM hardware provided by printer/copier manufacturers. These manufacturers will need to provide patches if required.

 

Pharos On-Site Software

All Pharos on-site software runs on customer or partner managed servers, and will need to be upgraded as patches become available. Pharos software itself is not vulnerable.

 

Pharos Internal Infrastructure

Patches are being applied to all operations and non-test devices on the Pharos internal network with anticipated completion by end of January 2018.

 

Recommendations

Apply your manufacturer and OS service packs and updates as soon as they are available.

 

As always, the Pharos security team is happy to any questions you may have.

 

Regards,

Pharos Security Team

Pharos Systems International

585-939-7000

pharossecurityteam@pharos.com