Update 3/17/17: Several revisions of the advisory have been released which provide more workarounds and fixes for our products including DaaS and vROps. Please see the changelog in section 6. for details.

Update 3/14/17: Do not apply the workaround previously provided for vCenter 6.5 as it has been shown to have functional impacts in customer environments. VMSA-2017-0004 will be updated if a viable workaround is confirmed. We have not received reports of problems with the 6.0 workaround.

Greetings from the VMware Security Response Center!

By now I am sure you have all heard about the Apache Struts 2 remote code execution vulnerability identified by CVE-2017-5638 which was disclosed last week. If you haven’t, welcome! You can find the original advisory from Apache here to get yourself caught up. In response, the VMware Security Engineering, Communications, and Response group (vSECR) immediately began investigations into the vulnerability and how it may affect our products. The outcome of these investigations can be found in VMSA-2017-0004.

The product teams are working on getting fixes published as soon as possible. For now, the advisory documents available workarounds that concerned customers can implement today. We also want to clarify that products not listed in this advisory are not affected by CVE-2017-5638. VMSA-2017-0004 will be updated when fixes become available for the listed products.

Please sign up to be notified when the VMSA gets updated with fixes and workarounds here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions about the advisory.