We need to update AutoPass License Server due to struts vulnerability
Question ID: 108602
1
0

Our security team has discovered that AutoPass License Server (APLS) uses struts that has a security vulnerability. How can we upgrade it to upgrade the Apache Struts version 2.3.35 or 2.5.17?

Can we just upgrade to latest APLS 10.7?

Marked as spam
Posted by (Questions: 387, Answers: 66)
Asked on September 5, 2018 7:20 pm
603 views
Answers (1)
1
Private answer

You can install AutoPass License Server (APLS) 10.7 and perform the steps below.
For UFT versions prior to 14.50, you'll also need to update the Server.xml file to work with TLS 1, 1.1.

To do this:

- Stop the APLS Service.
- Uninstall the existing version of APLS (9.3/9.3.4 or earlier) completely via the control panel (Use the migration document to save your APLS data if needed, otherwise you'll have to reinstall license keys and re-do any customizations)
- Remove the 'Zero G Registry' folder from 'C:Program Files', also remove any installation file exists for existing version (like 'C:Program FilesHP' folders)
- Once uninstallation is done, install APLS 10.7 software which can be downloaded from the [marketplace site][1]
- Once APLS 10.7 is installed, the default APLS installation location is:

C:Program Filesautopassaplsapls

- Stop the APLS service.

- Delete the ''struts2-core-2.5.16'' and ''struts2-tiles-plugin-2.5.16'' jars from following location:

C:Program FilesautopassaplsaplswebappsautopassWEB-INFlib

- Download the latest version from the [Apache site][2]
- Copy the the updated two ''struts2-core-2.5.17'' and ''struts2-tiles-plugin-2.5.17'' struts jars into:

C:Program FilesautopassaplsaplswebappsautopassWEB-INFlib

After installing APLS 10.7, stop the APLS service.
Navigate to the server.xml location. Depending on how you installed APLS, it should be something like this:
C:Program Filesautopassaplsaplsconf

Edit the server.xml file sslEnabledProtocols to read:
sslEnabledProtocols='' TLSv1,TLSv1.1,TLSv1.2''
Save the file.

Restart the service again.

[1]:https://marketplace.microfocus.com/itom/content/autopass-license-server
[2]:http://struts.apache.org/download.cgi#struts2517

Marked as spam
Posted by (Questions: 17, Answers: 807)
Answered on September 5, 2018 7:24 pm
0
Doing the above steps fixed our struts vulnerability issue. Thanks!
( at September 5, 2018 7:28 pm)
EyeOnTesting

Welcome back to "EyeOnTesting" brought to you by Orasi Software, Inc.

X
Scroll to Top