{"id":76141,"date":"2017-03-16T12:52:44","date_gmt":"2017-03-16T12:52:44","guid":{"rendered":"http:\/\/www.esri.com\/arcgis-blog\/products\/product\/uncategorized\/struts-vulnerability-bandwagon\/"},"modified":"2022-02-16T11:22:50","modified_gmt":"2022-02-16T19:22:50","slug":"struts-vulnerability-bandwagon","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon","title":{"rendered":"Struts Vulnerability Bandwagon"},"author":3911,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,24071],"industry":[],"product":[763582],"class_list":["post-76141","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-security","product-trust-arcgis"],"acf":{"short_description":"While we don't have a habit of announcing when our products are NOT vulnerable to a specific security issue, sometimes IT teams pounce on...","flexible_content":[{"acf_fc_layout":"content","content":"<p><span style=\"color: #000000;font-family: Calibri\">While we don&#8217;t have a habit of announcing when our products are NOT vulnerable to a specific security issue, sometimes IT teams pounce on the panic button (understandably)\u00a0when they hear about a new critical vulnerability that hit the media mainstream.\u00a0 Some customers have gone so far as to shut systems down due to Apache Struts vulnerability <\/span><a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2017-5638\"><span style=\"color: #0563c1;font-family: Calibri\">CVE-2017-5638<\/span><\/a><span style=\"color: #000000;font-family: Calibri\">, and subsequently began asking if the vulnerability was applicable to the ArcGIS Enterprise product line.<\/span><\/p>\n<p><span style=\"color: #000000;font-family: Calibri\">Now the good news, ArcGIS Enterprise commercial products under General Availability and even Extended Support are NOT vulnerable to this Apache Struts issue as they do not utilize Apache Struts.<\/span><\/p>\n<p><span style=\"color: #000000;font-family: Calibri\">Some customer IT teams did some Google searches and came across an old version of the open-source GeoPortal Server offering which contains Apache Struts.\u00a0 This created some concerns\/confusion, however it utilizes an older version of the Struts framework 1.x, which has NOT been confirmed as vulnerable by Apache.\u00a0 If your organization is utilizing GeoPortal Server 1.x, we strongly recommend you migrate to GeoPortal Server version 2.5 as it <\/span><a href=\"https:\/\/blogs.esri.com\/esri\/arcgis\/2017\/01\/28\/open-source-geoportal-server-security-patch\/\"><span style=\"color: #0563c1;font-family: Calibri\">addresses confirmed security issues<\/span><\/a><span style=\"color: #000000;font-family: Calibri\"> not related to Struts. Two additional notes: \u00a01) GeoPortal Server version 2.x does NOT utilize Struts. \u00a02) The open-source GeoPortal Server is a separate code-base from the Esri commercial offering of Portal for ArcGIS.\u00a0 Portal for ArcGIS is a part of the ArcGIS Enterprise family and does not contain Struts.<\/span><\/p>\n<p><span style=\"color: #000000;font-family: Calibri\">For future reference, if there is a critical security issue that has broad media attention and we\u2019ve confirmed key products are vulnerable we quickly post such issues here and update as relevant.\u00a0 Please check Trust.ArcGIS.com announcements to get a security sanity check for the ArcGIS platform.<\/span><\/p>\n<p><em><span style=\"color: #000000;font-family: Calibri\">&#8211; The Security Standards &amp; Architecture Team<\/span><\/em><\/p>\n"}],"authors":[{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}],"related_articles":"","card_image":false,"wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Struts Vulnerability Bandwagon<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Struts Vulnerability Bandwagon\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2022-02-16T19:22:50+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\"},\"author\":{\"name\":\"Michael Young\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\"},\"headline\":\"Struts Vulnerability Bandwagon\",\"datePublished\":\"2017-03-16T12:52:44+00:00\",\"dateModified\":\"2022-02-16T19:22:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\"},\"wordCount\":3,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Trust Center\",\"Security\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\",\"name\":\"Struts Vulnerability Bandwagon\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2017-03-16T12:52:44+00:00\",\"dateModified\":\"2022-02-16T19:22:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Struts Vulnerability Bandwagon\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\",\"name\":\"Michael Young\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"caption\":\"Michael Young\"},\"sameAs\":[\"http:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Struts Vulnerability Bandwagon","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon","og_locale":"en_US","og_type":"article","og_title":"Struts Vulnerability Bandwagon","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2022-02-16T19:22:50+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon"},"author":{"name":"Michael Young","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678"},"headline":"Struts Vulnerability Bandwagon","datePublished":"2017-03-16T12:52:44+00:00","dateModified":"2022-02-16T19:22:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon"},"wordCount":3,"commentCount":0,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Trust Center","Security"],"articleSection":["Administration"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon","name":"Struts Vulnerability Bandwagon","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2017-03-16T12:52:44+00:00","dateModified":"2022-02-16T19:22:50+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/struts-vulnerability-bandwagon#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Struts Vulnerability Bandwagon"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678","name":"Michael Young","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","caption":"Michael Young"},"sameAs":["http:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000"}]}},"text_date":"March 16, 2017","author_name":"Michael Young","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":126,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":428,"filter":"raw"}],"product_data":[{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":89,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/76141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/3911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=76141"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/76141\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=76141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=76141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=76141"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=76141"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=76141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}