Response to Apache Struts vulnerability announcement

On September 15, 2017, the FBI Cyber Division issued Alert Number MC-000086-MW regarding a security vulnerability found with Apache Struts web servers. Through a coordination of efforts, our engineers have reviewed the notice and we are providing the below response:

This vulnerability is regarding Apache Struts which is a Linux platform and is not patched by our patch management system. However, these sorts of Linux-based web servers would be patched by any individual web service provider that leverages the Apache Struts platform – either the application developer for anything that may leverage it in-house, or by the web host for anything managed that’s outside of your environment. This is a question better directed to your key line of business application vendors and core provider, as well as your web host or any internet-facing application providers.

For your benefit, the following is a question you can send to your application vendors:


We have recently received a bulletin from the Massachusetts Division of Banks regarding an FBI/DHS Joint Analysis about a critical vulnerability in the web server software frame-work, Apache Struts. Can you please provide a response with regards to if the software we utilize from you is susceptible to this vulnerability and if so what steps you are taking to re-mediate and ensure we are no longer affected.”

In addition, we are reviewing manufacturer websites with regards to this vulnerability to see if they have released any security bulletins and will take action accordingly.