Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900


## Summary There is a vulnerability in Apache Struts to which the IBM® FlashSystem™ 840 and FlashSystem™ 900 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system ## Vulnerability Details **CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ## Affected Products and Versions FlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. FlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2. Code versions affected include supported VRMFs: · – · – ## Remediation/Fixes _MTMs_ | _VRMF_| _APAR_| _Remediation/First Fix_ ---|---|---|--- **FlashSystem ****840 MTM: ** 9840-AE1 & 9843-AE1 **FlashSystem 900 MTMs:** 9840-AE2 & 9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: ___ Fixed code VRMF .__ _1.4 stream: _ _1.3 stream:| _ __N/A_| [**_FlashSystem 840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)** **and [**_FlashSystem 900 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)** **are available @ IBM’s Fix Central_ _ ## Workarounds and Mitigations None ##

Affected Software

CPE Name Name Version
ibm flashsystem 900 any
ibm flashsystem 900 any