On 6 March the Apache Foundation released a patch for the Struts 2 framework, also known as “Jakarta Struts” and “Apache Struts”. This is a Java framework commonly used by Java-based web applications, and is a component within Aerohive HiveManager Classic and other products. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, other exploit code has subsequently been published, and by the end of that week active exploits on the Internet were observed.
AFFECTED PRODUCTS AND VERSIONS
- Aerohive HiveOS, all versions, is NOT vulnerable. HiveOS does not contain Apache or Struts.
- Aerohive HiveManager NG is NOT vulnerable. HiveManager NG does not use Struts.
- Aerohive Mobility Suite (comprising ID Manager, Client Management, and Social Login) is NOT vulnerable.
- Aerohive HiveManager Classic OnLine (HMOL), all versions, was vulnerable, but all affected servers have now been patched.
- Aerohive cloud servers (MyHive, Redirector, License servers, etc) were vulnerable, but all affected servers have now been patched.
- Aerohive HiveManager Classic on-premises, versions 6.8r7 and earlier, are vulnerable. Versions 6.8r7a and later are not.
The vulnerability allows an unauthenticated attacker to include code in the “Content-Type” header of an HTTP request, which then gets executed by the web server.
The vulnerability was publicly disclosed as a result of the Apache patch release. It was first brought to Aerohive’s attention by, and we offer out sincere thanks to, Jacco van Tujil and Ajay S. Kulal (Twitter: www.twitter.com/ajay_kulal).
It has been assigned CVE-2017-5638 by the National Vulnerability Database.
HIGH to Aerohive customers who use HiveManager Classic on-premises.
NONE to Aerohive customers who use HiveManager NG, HiveManager Classic Online, or Mobility Suite.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
No action is needed for Aerohive cloud products, including HiveManager Classic OnLine and HiveManager-NG. Aerohive applied patches to these servers proactively and all patches were completed as of Thursday 16 March 2017.
Users of Aerohive’s on-premises version of HiveManager Classic should immediately retrieve from the Aerohive support portal the appropriate HiveManager version 6.8r7a image for your environment and the hivemanager-struts patch located in the HiveManager Classic 6.8r7a folder and install them in that sequence.
On-premises HiveManager Classic customers who have their server located in a Network Operations Center also can place a web application firewall and/or Intrusion Detection System in front of their HiveManager server. Signatures to detect an attack of this type for the popular SNORT IDS and Alienvault USM products have already been published, and signatures for other popular firewalls and IDS are expected shortly.
STATUS OF THIS NOTICE: FINAL
Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of ourability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aerohive’s website at:
Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists ornewsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision 1 / 2017-03-17 / Initial publication
Revision 2 / 2017-10-05 / Final revision, updated to reflect HiveManager on-premises versions
AEROHIVE PSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at
For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at
© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.