I’ve just come across an IBM technote from May 2014 that has been updated over the last few days, listing details of a number of vulnerabilities in Apache Struts:
[titled_box title=”Vulnerability Details”]Several security vulnerabilities have been reported against Apache Struts through April 2014. IBM Connections uses Struts. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix these vulnerabilities apply the fixes as detailed in the Remediation section.
The following versions of IBM Connections are impacted:
IBM Connections 5.0
IBM Connections 4.5
IBM Connections 4.0
IBM Connections 3.0.1.1 and earlier releases[/titled_box]
There are fixes for all the above mentioned versions of Connections. Here are the two most recent:
| IBM Connections 5.0 | Apply APAR LO80688 |
| IBM Connections 4.5 | Upgrade to IBM Connections 4.5 CR4 and apply Interim Fix APAR LO81215 |
I would definitely recommend getting these security fixes on ASAP, particularly if your IBM Connections platform is public-facing…