Common Vulnerabilities and Exposures (CVEs)

Name Description Vulnerable? Fix Version
CVE-2019-2698Not affected, we do not run untrusted code.No5.4.3
CVE-2019-2684Not affected. Our application does not use RMI.No5.4.3
CVE-2019-2602We don't believe our application is affected. Our application makes very limited use of the BigDecimal class and in those uses does not convert a user provided string to a long.No5.4.3
CVE-2018-3639We do not run untrusted code along-side the application in the Tomcat process. https://www.redhat.com/en/blog/speculative-store-bypass-explained-what-it-how-it-works No
CVE-2018-3214does not affect us, we do not implement soundNo5.4.3
CVE-2018-3183does not affect us, Does not affect server environments where all code is trusted.No5.4.3
CVE-2018-3180does not affect us, we use NSS, not JSSE for TLS sessionsNo5.4.3
CVE-2018-3169does not affect us, Does not affect server environments where all code is trusted.No5.4.3
CVE-2018-3150Not affected. Uplogix products only run trusted jar files.No5.4.3
CVE-2018-3149does not affect us, we do not use the JNDI to LDAP bridgNo5.4.3
CVE-2018-2952we do not use Java deserialization.No5.4.3
CVE-2018-2815We do not deserialize untrusted user data.No
CVE-2018-2814Only applies to servers running untrusted java code, we only run trusted java code.No
CVE-2018-2800We don't use RMI.No
CVE-2018-2799`We do not deserialize untrusted user data.No
CVE-2018-2798We do not deserialize untrusted user data.No
CVE-2018-2797We do not deserialize untrusted user data.No
CVE-2018-2796We do not deserialize untrusted user data.No
CVE-2018-2795We do not deserialize untrusted user data.No
CVE-2018-2794We do not deserialize untrusted user data.No
CVE-2018-2790Only applies to servers running untrusted java code, we only run trusted java code.No
CVE-2018-2678we do not use Java serializationNo
CVE-2018-2677we do not use Java serializationNo
CVE-2018-2663we do not use Java serialization No
CVE-2018-2641we do not use AWTNo
CVE-2018-2637we do not use JMXNo
CVE-2018-2634we do not use JGSSNo
CVE-2018-2633We do not use LDAPNo
CVE-2018-2629we do not use JGSSNo
CVE-2018-2618We delegate to NSS for TLS and do not support Diffie Hellman for TLSNo
CVE-2018-2603`all parsing of certificates in the UCC is done by NSSNo
CVE-2018-2602requires local (untrusted) user to put code in the classpathNo
CVE-2018-2599we do not use the DNS component of JNDINo
CVE-2018-2588we do not use the LDAP componentNo
CVE-2018-2582requires untrusted code to be runNo
CVE-2018-2579We do not use OpenJDK's PBKDF2. We delegate to NSS for 3DES in TLS and SSH.No
CVE-2018-18066Does not apply. Requires an SNMP listener. We only send traps.No5.4.3
CVE-2018-18065Does not apply. Requires an SNMP listener. We only send traps.No5.4.3
CVE-2018-14627We do not use IIOPNo5.4.3
CVE-2018-1327We do not use the REST pluginNo
CVE-2018-12548only applies to OpenJ9. Our JVM does not contain the affected class. No5.4.3
CVE-2018-117761. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin. 2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin. We match neither condition, so the UCC is not vulnerable to this. No5.4.3
CVE-2018-1111The Uplogix Control Center does not ship with the required software to execute and exploit this vulnerability. The Local Manager does not contain the vulnerable code.No0
CVE-2017-9805This affects the REST plugin, which we don't use.No
CVE-2017-9804This does not affect us. It is a bug in URLValidator which our application does not use. https://struts.apache.org/docs/s2-050.html No
CVE-2017-9793This does not affect us. It is a vulnerability in the Struts REST plugin which our application does not use. https://struts.apache.org/docs/s2-051.html https://qz.com/1069960/researchers-just-discovered-a-bug-that-has-made-the-apache-struts-framework-vulnerable-to-simple-hacks-since-2008/ No
CVE-2017-5664Our products are not vulnerable to this issue, as we override the error page with a JSP, not with a static HTML page which uses the DefaultServlet.No
CVE-2017-5638StrutshockYes5.4.2
CVE-2017-14491We do not use dnsmasq in versions 5.4.x and earlier. In version 5.5 we are using the recommended patched version that the exploit does not affect.No5.5
CVE-2016-9311A flaw was found in the way ntpd implemented the trap service. A remote attacker could send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service.Yes5.4.1